Vulnerabilities and exposures for PLCnext Control AXC F 2152
The following sections list the security vulnerabilities (CVEs) that have been resolved in the respective firmware release. For more information about the specified CVE numbers, see:
Information on the Phoenix Contact PSIRT can be found at https://www.phoenixcontact.com/psirt.
Firmware releases 2026.x
2026.0.5 LTS2026.0.5 LTS
Released on 2026-07-10
Gnutls
- CVE-2026-42009
OpenSSL
- CVE-2026-34182
- CVE-2026-7383
- CVE-2026-9076
- CVE-2026-34180
- CVE-2026-45445
- CVE-2026-42766
- CVE-2026-42767
- CVE-2026-45446
- CVE-2026-42770
- CVE-2026-45447
Nginx
- CVE-2026-1642
- CVE-2026-9256
2026.0.4 LTS2026.0.4 LTS
Released on 2026-06-01
Backup & Restore
- During decryption of an encrypted backup, a WBM alert containing internal security-related information was triggered when a user entered an incorrect password.
- During backup creation it was possible to set an encryption password with the length of one character.
Curl
- CVE-2026-4873
- CVE-2026-5545
- CVE-2026-5773
- CVE-2026-6253
- CVE-2026-6276
- CVE-2026-6429
- CVE-2026-7168
- CVE-2026-1965
- CVE-2026-3783
- CVE-2026-3784
Expat
- CVE-2026-45186
Gnutls
- CVE-2026-3833
- CVE-2026-33845
- CVE-2026-3832
- CVE-2026-42010
Kernel
- CVE-2026-46300
- CVE-2026-43186
Libexpat
- CVE-2026-41080
- CVE-2026-32777
- CVE-2026-32776
- CVE-2026-32778
Openssh
Support of the obsolete “+ssh-rsa” algorithm has now been removed. In order to maintain compatibility with older clients, the algorithm was explicitly reactivated in previous updates, despite being communicated as removed.
Rsync
- CVE-2026-43617
- CVE-2026-45232
- CVE-2026-43619
- CVE-2026-43620
- CVE-2026-41035
- CVE-2026-43618
- CVE-2026-29518
2026.0.3 LTS2026.0.3 LTS
Released on 2026-05-21
ACF
- CVE-2025-41670 Updated on 2026-05-27
Glibc
- CVE-2026-4438
- CVE-2026-4437
- CVE-2026-4046
Kernel
- CVE-2026-31431
- CVE-2026-43037
- CVE-2026-43038
- CVE-2026-43284
Libssh
- CVE-2025-5987
- CVE-2026-3731
Nghttp2
- CVE-2026-27135
NTP
Via web-based management service any parameters for the NTP/chrony configuration could be written to the configuration file and applied accordingly.
Openssh
- CVE-2026-35386
- CVE-2026-35385
- CVE-2026-35414
- CVE-2026-35387
- CVE-2026-35388
Openssl
- CVE-2026-31790
- CVE-2026-28390
- CVE-2026-28389
- CVE-2026-28388
- CVE-2026-28387
- CVE-2026-31789
Python
- CVE-2025-13837
- CVE-2025-12084
- CVE-2025-13836
2026.0.2 LTS2026.0.2 LTS
Released on 2026-04-16
Backup and Restore
- The certificates from the Identity Store were not saved within a backup file.
- Restoring a manipulated backup file led to an exception and system watchdog.
Curl
- CVE-2025-14017
- CVE-2025-0167
- CVE-2025-5025
- CVE-2025-15079
- CVE-2025-14819
- CVE-2025-14524
- CVE-2025-10148
- CVE-2025-15224
DPKG
- CVE-2025-6297
Git
- CVE-2025-48384
Glib
- CVE-2025-14512
- CVE-2025-13601
- CVE-2025-14087
- CVE-2025-3360
- CVE-2025-4373
- CVE-2025-7039
- CVE-2025-6052
Glibc
CVE-2025-15281
CVE-2026-0861
CVE-2026-0915
CVE-2025-8058
CVE-2025-5702
Gnutls
CVE-2025-32989
CVE-2025-32988
CVE-2025-32990
CVE-2025-6395
CVE-2025-32988
GRPC
CVE-2024-11407
CVE-2024-7246
Libxpat
CVE-2026-24515
CVE-2025-59375
Libssh
CVE-2025-8114
CVE-2025-5351
Libtasn
- CVE-2025-13151
Libxml
- CVE-2025-7425
Ncurses
- CVE-2025-6141
Nginx
- CVE-2025-23419
- CVE-2025-53859
Openssh
- CVE-2025-61985
- CVE-2025-61984
- CVE-2025-32728
Openssl
- CVE-2026-22796
- CVE-2026-22795
- CVE-2025-69421
- CVE-2025-69420
- CVE-2025-69419
- CVE-2025-69418
- CVE-2025-68160
- CVE-2025-15467
- CVE-2025-9230
- CVE-2025-9232
OpenVPN
- CVE-2025-13086
PROFINET
- A malformed LLDP frame could cause a crash (stack overflow) and potential code execution.
Rapidjson
- CVE-2024-39684
RSC
- A manipulated message interrupted the RSC communication to the PLCnext Engineer. In addition, the internal CPU system load increased up to 100 %.
- Calls to internal RSC services without SecurityStub were allowed if the providing component was running in another process than the RscGateway.
Rsync
- CVE-2025-10158
System
- CVE-2025-41669
- By activating the remote gRPC server, it was possible to use every available endpoint without authentication. This includes for example reading and writing GDS variables, as well as restarting the device, and processing a factory reset.
- Missing certificates in case of project integrity in the Trust Store Code Signing led to unclear security notifications.
- Writing primitive variables using “IDataAccessService::Write” instead of “IDataAccessService::WriteSingle”, the additional information “from <oldValue> to <newValue>” was missing in the corresponding security notification.
- A Denial of Service (DoS) attack on port 80 could lead to a task watchdog of the running PLC application.
- The AppManager did not lock the loading of an app in time to prevent the PlcManager from loading the eCLR project. This led to an impairment of cybersecurity, as the loaded code could still be executed in the event of an expired license.
- A standard user on the device was able to access any files on the device. This situation was caused by misconfigured sudo permissions associated with the “nft” binary.
- In case of user handling some notifications showed internal user-related information.
Sqlite
- CVE-2025-6965
- CVE-2025-7709
- CVE-2025-52099
WBM
- CVE-2025-41771
- The WBM certificate management was unable to add PEM certificates which contained “CRLF” instead of “LF”.
- In LDAP/LDAPs WBM configuration, a port setting was not reset to default if the port was removed on existing configurations.
- In connection with certificate management, security notifications were not generated anymore.