Vulnerabilities and exposures for PLCnext Control BPC 9102S and BPC 9202S

The following sections list the security vulnerabilities (CVEs) that have been resolved in the respective firmware release. For more information about the specified CVE numbers, see:

Information on the Phoenix Contact PSIRT can be found at https://www.phoenixcontact.com/psirt.

Firmware releases 2026.x

2026.0.4 LTS2026.0.4 LTS

 Released on 2026-06-01

Backup & Restore

  • During decryption of an encrypted backup, a WBM alert containing internal security-related information was triggered when a user entered an incorrect password.
  • During backup creation it was possible to set an encryption password with the length of one character.

Curl

  • CVE-2026-4873 
  • CVE-2026-5545 
  • CVE-2026-5773 
  • CVE-2026-6253 
  • CVE-2026-6276 
  • CVE-2026-6429 
  • CVE-2026-7168 
  • CVE-2026-1965 
  • CVE-2026-3783 
  • CVE-2026-3784

Expat

  • CVE-2026-45186

Gnutls

  • CVE-2026-3833 
  • CVE-2026-33845
  • CVE-2026-3832
  • CVE-2026-42010

Kernel

  • CVE-2026-46300
  • CVE-2026-43186

Libexpat

  • CVE-2026-41080
  • CVE-2026-32777
  • CVE-2026-32776
  • CVE-2026-32778

Openssh

Support of the obsolete “+ssh-rsa” algorithm has now been removed. In order to maintain compatibility with older clients, the algorithm was explicitly reactivated in previous updates, despite being communicated as removed.

Rsync

  • CVE-2026-43617
  • CVE-2026-45232
  • CVE-2026-43619
  • CVE-2026-43620
  • CVE-2026-41035
  • CVE-2026-43618
  • CVE-2026-29518

2026.0.3 LTS2026.0.3 LTS

 Released on 2026-05-13

ACF

  • CVE-2025-41670 Updated on 2026-05-27

Glibc

  • CVE-2026-4438 
  • CVE-2026-4437 
  • CVE-2026-4046 

Kernel

  • CVE-2026-31431
  • CVE-2026-43037
  • CVE-2026-43038
  • CVE-2026-43284

Libssh

  • CVE-2025-5987 
  • CVE-2026-3731

Nghttp2

  • CVE-2026-27135

NTP

Via web-based management service any parameters for the NTP/chrony configuration could be written to the configuration file and applied accordingly.

Openssh

  • CVE-2026-35386 
  • CVE-2026-35385 
  • CVE-2026-35414 
  • CVE-2026-35387 
  • CVE-2026-35388 

Openssl

  • CVE-2026-31790 
  • CVE-2026-28390 
  • CVE-2026-28389 
  • CVE-2026-28388 
  • CVE-2026-28387 
  • CVE-2026-31789 

Python

  • CVE-2025-13837
  • CVE-2025-12084
  • CVE-2025-13836

2026.0.1 LTS2026.0.1 LTS

Released on 2026-03-11

Backup and Restore

  • The certificates from the Identity Store were not saved within a backup file.
  • Restoring a manipulated backup file led to an exception and system watchdog.

Curl

  • CVE-2025-14017 
  • CVE-2025-0167 
  • CVE-2025-5025
  • CVE-2025-15079 
  • CVE-2025-14819 
  • CVE-2025-14524 
  • CVE-2025-10148 
  • CVE-2025-15224

DPKG

  • CVE-2025-6297

Git

  • CVE-2025-48384

Glib

  • CVE-2025-14512 
  • CVE-2025-13601 
  • CVE-2025-14087 
  • CVE-2025-3360 
  • CVE-2025-4373 
  • CVE-2025-7039 
  • CVE-2025-6052

Glibc

  • CVE-2025-15281 
  • CVE-2026-0861 
  • CVE-2026-0915 
  • CVE-2025-8058 
  • CVE-2025-5702

Gnutls

  • CVE-2025-32989 
  • CVE-2025-32988 
  • CVE-2025-32990 
  • CVE-2025-6395 
  • CVE-2025-32988

GRPC

  • CVE-2024-11407 
  • CVE-2024-7246

Libxpat

  • CVE-2026-24515 
  • CVE-2025-59375

Libssh

  • CVE-2025-8114 
  • CVE-2025-5351

Libtasn

  • CVE-2025-13151

Libxml

  • CVE-2025-7425

Ncurses

  • CVE-2025-6141

Nginx

  • CVE-2025-23419 
  • CVE-2025-53859

Openssh

  • CVE-2025-61985 
  • CVE-2025-61984 
  • CVE-2025-32728

Openssl

  • CVE-2026-22796 
  • CVE-2026-22795 
  • CVE-2025-69421 
  • CVE-2025-69420 
  • CVE-2025-69419 
  • CVE-2025-69418 
  • CVE-2025-68160 
  • CVE-2025-15467 
  • CVE-2025-9230 
  • CVE-2025-9232

OpenVPN

  • CVE-2025-13086

PROFINET

A malformed LLDP frame could cause a crash (stack overflow) and potential code execution.

Rapidjson

  • CVE-2024-39684

RSC

  • A manipulated message interrupted the RSC communication to the PLCnext Engineer. In addition, the internal CPU system load increased up to 100 %.
  • Calls to internal RSC services without SecurityStub were allowed if the providing component was running in another process than the RscGateway.

Rsync

  • CVE-2025-10158

System

  • CVE-2025-41669
  • By activating the remote gRPC server, it was possible to use every available endpoint without authentication. This includes for example reading and writing GDS variables, as well as restarting the device, and processing a factory reset.
  • Missing certificates in case of project integrity in the Trust Store Code Signing led to unclear security notifications.
  • A Denial of Service (DoS) attack on port 22 could lead to a task watchdog of the running PLC application.
  • Writing primitive variables using “IDataAccessService::Write” instead of “IDataAccessService::WriteSingle”, the additional information “from <oldValue> to <newValue>” was missing in the corresponding security notification.
  • The AppManager did not lock the loading of an app in time to prevent the PlcManager from loading the eCLR project. This led to an impairment of cybersecurity, as the loaded code could still be executed in the event of an expired license.
  • A Denial of Service (DoS) attack on port 22 or 443 could lead to a task watchdog of the running PLC application.
  • A standard user on the device was able to access any files on the device. This situation was caused by misconfigured sudo permissions associated with the “nft” binary.
  • In case of user handling some notifications showed internal user-related information.

Sqlite

  • CVE-2025-6965
  • CVE-2025-7709 
  • CVE-2025-52099

WBM

  • CVE-2025-41771
  • The WBM certificate management was unable to add PEM certificates which contained “CRLF” instead of “LF”.
  • In LDAP/LDAPs WBM configuration, a port setting was not reset to default if the port was removed on existing configurations.
  • In connection with certificate management, security notifications were not generated anymore.

 

 


• Published/reviewed: 2026-07-10  ☀  Revision 098 •