Vulnerabilities and exposures for PLCnext Control Virtual PLCnext Control

The following sections list the security vulnerabilities (CVEs) that have been resolved in the respective firmware release. For more information about the specified CVE numbers, see:

Information on the Phoenix Contact PSIRT can be found at https://www.phoenixcontact.com/psirt.

Firmware releases 2026.x

2026.0.5 LTS2026.0.5 LTS

Released on 2026-07-10

Gnutls

  • CVE-2026-42009

OpenSSL

  • CVE-2026-34182 
  • CVE-2026-7383 
  • CVE-2026-9076 
  • CVE-2026-34180 
  • CVE-2026-45445 
  • CVE-2026-42766 
  • CVE-2026-42767 
  • CVE-2026-45446 
  • CVE-2026-42770 
  • CVE-2026-45447

Nginx

  • CVE-2026-1642 
  • CVE-2026-9256

2026.0.4 LTS2026.0.4 LTS

 Released on 2026-06-01

ACF 

  • CVE-2025-41670

App

PLCnext Technology Apps using containers could not access the gRPC interface because the role “app_user” is no longer a member of the “plcnext” group for “secure-by-default” devices.

Backup and Restore

  • The certificates from the Identity Store were not saved within a backup file.
  • Restoring a manipulated backup file led to an exception and system watchdog.
  • During decryption of an encrypted backup, a WBM alert containing internal security-related information was triggered when a user entered an incorrect password.
  • During backup creation it was possible to set an encryption password with the length of one character.

Curl

  • CVE-2025-14017 
  • CVE-2025-0167 
  • CVE-2025-5025
  • CVE-2025-15079
  • CVE-2025-14819 
  • CVE-2025-14524 
  • CVE-2025-10148 
  • CVE-2025-15224
  • CVE-2026-4873 
  • CVE-2026-5545 
  • CVE-2026-5773 
  • CVE-2026-6253 
  • CVE-2026-6276 
  • CVE-2026-6429 
  • CVE-2026-7168 
  • CVE-2026-1965 
  • CVE-2026-3783 
  • CVE-2026-3784

DPKG

  • CVE-2025-6297

Expat

  • CVE-2026-45186

Git

  • CVE-2025-48384

Glib

  • CVE-2025-14512 
  • CVE-2025-13601 
  • CVE-2025-14087 
  • CVE-2025-3360 
  • CVE-2025-4373 
  • CVE-2025-7039 
  • CVE-2025-6052

Glibc

CVE-2025-15281 
CVE-2026-0861 
CVE-2026-0915 
CVE-2025-8058 
CVE-2025-5702
CVE-2026-4438 
CVE-2026-4437 
CVE-2026-4046 
CVE-2024-2961

Gnutls

CVE-2025-32989 
CVE-2025-32988 
CVE-2025-32990 
CVE-2025-6395 
CVE-2025-32988
CVE-2026-3833 
CVE-2026-33845
CVE-2026-3832
CVE-2026-42010

GRPC

CVE-2024-11407 
CVE-2024-7246

Kernel

CVE-2026-31431
CVE-2026-43037
CVE-2026-43038
CVE-2026-43284
CVE-2026-46300
CVE-2026-43186

Libxpat

CVE-2026-24515 
CVE-2025-59375
CVE-2026-41080
CVE-2026-32777
CVE-2026-32776
CVE-2026-32778

Libssh

CVE-2025-8114 
CVE-2025-5351
CVE-2025-5987 
CVE-2026-3731

Libtasn

CVE-2025-13151

Libxml

CVE-2025-7425

Ncurses

CVE-2025-6141

Nginx

CVE-2025-23419 
CVE-2025-53859

Nghttp2

CVE-2026-27135

NTP

Via web-based management service any parameters for the NTP/chrony configuration could be written to the configuration file and applied accordingly.

Openssh

CVE-2025-61985 
CVE-2025-61984 
CVE-2025-32728
CVE-2026-35386
CVE-2026-35385
CVE-2026-35414 
CVE-2026-35387 
CVE-2026-35388 
Support of the obsolete “+ssh-rsa” algorithm has now been removed. In order to maintain compatibility with older clients, the algorithm was explicitly reactivated in previous updates, despite being communicated as removed.

Openssl

CVE-2026-22796 
CVE-2026-22795 
CVE-2025-69421 
CVE-2025-69420 
CVE-2025-69419 
CVE-2025-69418 
CVE-2025-68160 
CVE-2025-15467 
CVE-2025-9230 
CVE-2025-9232
CVE-2026-31790 
CVE-2026-28390 
CVE-2026-28389 
CVE-2026-28388 
CVE-2026-28387 
CVE-2026-31789

OpenVPN

CVE-2025-13086

PROFINET

A malformed LLDP frame could cause a crash (stack overflow) and potential code execution.

Python

CVE-2025-13837 
CVE-2025-12084 
CVE-2025-13836

Rapidjson

CVE-2024-39684

RSC

A manipulated message interrupted the RSC communication to the PLCnext Engineer. In addition, the internal CPU system load increased up to 100 %.
Calls to internal RSC services without SecurityStub were allowed if the providing component was running in another process than the RscGateway.

Rsync

CVE-2025-10158
CVE-2026-43617
CVE-2026-45232
CVE-2026-43619
CVE-2026-43620
CVE-2026-41035
CVE-2026-43618
CVE-2026-29518

RSC file service

Read/write access to app directories via the RSC service “Read/Write” was denied on “secure-by-default” devices.

System

CVE-2025-41669
By activating the remote gRPC server, it was possible to use every available endpoint without authentication. This includes for example reading and writing GDS variables, as well as restarting the device, and processing a factory reset.
Missing certificates in case of project integrity in the Trust Store Code Signing led to unclear security notifications.
Writing primitive variables using “IDataAccessService::Write” instead of “IDataAccessService::WriteSingle”, the additional information “from <oldValue> to <newValue>” was missing in the corresponding security notification.
The AppManager did not lock the loading of an app in time to prevent the PlcManager from loading the eCLR project. This led to an impairment of cybersecurity, as the loaded code could still be executed in the event of an expired license.
A standard user on the device was able to access any files on the device. This situation was caused by misconfigured sudo permissions associated with the “nft” binary.
In case of user handling some notifications showed internal user-related information.

Systemd

CVE-2026-40226

Sqlite

CVE-2025-6965
CVE-2025-7709 
CVE-2025-52099

WBM

CVE-2025-41771
The WBM certificate management was unable to add PEM certificates which contained “CRLF” instead of “LF”.
In LDAP/LDAPs WBM configuration, a port setting was not reset to default if the port was removed on existing configurations.
In connection with certificate management, security notifications were not generated anymore.

 

 


• Published/reviewed: 2026-07-10  ☀  Revision 098 •