Description
A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation.
Published: 2026-05-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An untrusted search path flaw (CWE-427) in a privileged service allows a local user with low privileges to write or replace configuration or application files in directories that the service reads. Because the service runs with elevated rights and does not protect those input locations, an attacker can alter the service’s behavior or inject malicious code, giving them the service’s privileges and full control over the device.

Affected Systems

The affected products are Phoenix Contact PLCs and control systems: AXC F 1152, AXC F 1252, AXC F 2000 EA, AXC F 2152, AXC F 3152, BPC 9102S, EPC 1522, RFC 4072R, RFC 4072S, VL3 UPC 2440 EDGE, VPLCNEXT CONTROL 1000, 2000, 3000, and 500. No specific version ranges are listed in the CNA data.

Risk and Exploitability

With a CVSS score of 8.7 this issue is high severity, but the EPSS score is not available, making it unclear how frequently it is being attacked today. The vulnerability is not listed in CISA’s KEV catalog, indicating no known active exploitation. The attack requires local access to write into the vulnerable directories; no external network exploitation is described. Successful abuse would grant the attacker full system privileges on the affected device.

Generated by OpenCVE AI on May 27, 2026 at 10:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Phoenix Contact firmware or patch that addresses the untrusted search path flaw.
  • Restrict permissions on the directories that the privileged service accesses so that only trusted system users can write to them.
  • Reconfigure the service (if supported) to use system‑owned configuration paths and validate inputs before processing.

Generated by OpenCVE AI on May 27, 2026 at 10:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation.
Title Untrusted Search Path
First Time appeared Phoenix Contact
Phoenix Contact axc F 1152
Phoenix Contact axc F 1252
Phoenix Contact axc F 2000 Ea
Phoenix Contact axc F 2152
Phoenix Contact axc F 3152
Phoenix Contact bpc 9102s
Phoenix Contact epc 1522
Phoenix Contact rfc 4072r
Phoenix Contact rfc 4072s
Phoenix Contact vl3 Upc 2440 Edge
Phoenix Contact vplcnext Control 1000
Phoenix Contact vplcnext Control 2000
Phoenix Contact vplcnext Control 3000
Phoenix Contact vplcnext Control 500
Weaknesses CWE-427
CPEs cpe:2.3:a:phoenix_contact:axc_f_1152:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:axc_f_1252:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:axc_f_2000_ea:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:axc_f_2152:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:axc_f_3152:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:bpc_9102s:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:epc_1522:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:rfc_4072r:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:rfc_4072s:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:vl3_upc_2440_edge:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:vplcnext_control_1000:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:vplcnext_control_2000:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:vplcnext_control_3000:*:*:*:*:*:*:*:*
cpe:2.3:a:phoenix_contact:vplcnext_control_500:*:*:*:*:*:*:*:*
Vendors & Products Phoenix Contact
Phoenix Contact axc F 1152
Phoenix Contact axc F 1252
Phoenix Contact axc F 2000 Ea
Phoenix Contact axc F 2152
Phoenix Contact axc F 3152
Phoenix Contact bpc 9102s
Phoenix Contact epc 1522
Phoenix Contact rfc 4072r
Phoenix Contact rfc 4072s
Phoenix Contact vl3 Upc 2440 Edge
Phoenix Contact vplcnext Control 1000
Phoenix Contact vplcnext Control 2000
Phoenix Contact vplcnext Control 3000
Phoenix Contact vplcnext Control 500
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Phoenix Contact Axc F 1152 Axc F 1252 Axc F 2000 Ea Axc F 2152 Axc F 3152 Bpc 9102s Epc 1522 Rfc 4072r Rfc 4072s Vl3 Upc 2440 Edge Vplcnext Control 1000 Vplcnext Control 2000 Vplcnext Control 3000 Vplcnext Control 500
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-05-27T12:04:21.896Z

Reserved: 2025-04-16T11:17:48.308Z

Link: CVE-2025-41670

cve-icon Vulnrichment

Updated: 2026-05-27T12:04:16.661Z

cve-icon NVD

Status : Received

Published: 2026-05-27T08:16:39.920

Modified: 2026-05-27T08:16:39.920

Link: CVE-2025-41670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:15:05Z

Weaknesses