Vulnerabilities and exposures for PLCnext Control Virtual PLCnext Control
The following sections list the security vulnerabilities (CVEs) that have been resolved in the respective firmware release. For more information about the specified CVE numbers, see:
Information on the Phoenix Contact PSIRT can be found at https://www.phoenixcontact.com/psirt.
Firmware releases 2026.x
2026.0.5 LTS2026.0.5 LTS
Released on 2026-07-10
Gnutls
- CVE-2026-42009
OpenSSL
- CVE-2026-34182
- CVE-2026-7383
- CVE-2026-9076
- CVE-2026-34180
- CVE-2026-45445
- CVE-2026-42766
- CVE-2026-42767
- CVE-2026-45446
- CVE-2026-42770
- CVE-2026-45447
Nginx
- CVE-2026-1642
- CVE-2026-9256
2026.0.4 LTS2026.0.4 LTS
Released on 2026-06-01
ACF
- CVE-2025-41670
App
PLCnext Technology Apps using containers could not access the gRPC interface because the role “app_user” is no longer a member of the “plcnext” group for “secure-by-default” devices.
Backup and Restore
- The certificates from the Identity Store were not saved within a backup file.
- Restoring a manipulated backup file led to an exception and system watchdog.
- During decryption of an encrypted backup, a WBM alert containing internal security-related information was triggered when a user entered an incorrect password.
- During backup creation it was possible to set an encryption password with the length of one character.
Curl
- CVE-2025-14017
- CVE-2025-0167
- CVE-2025-5025
- CVE-2025-15079
- CVE-2025-14819
- CVE-2025-14524
- CVE-2025-10148
- CVE-2025-15224
- CVE-2026-4873
- CVE-2026-5545
- CVE-2026-5773
- CVE-2026-6253
- CVE-2026-6276
- CVE-2026-6429
- CVE-2026-7168
- CVE-2026-1965
- CVE-2026-3783
- CVE-2026-3784
DPKG
- CVE-2025-6297
Expat
- CVE-2026-45186
Git
- CVE-2025-48384
Glib
- CVE-2025-14512
- CVE-2025-13601
- CVE-2025-14087
- CVE-2025-3360
- CVE-2025-4373
- CVE-2025-7039
- CVE-2025-6052
Glibc
CVE-2025-15281
CVE-2026-0861
CVE-2026-0915
CVE-2025-8058
CVE-2025-5702
CVE-2026-4438
CVE-2026-4437
CVE-2026-4046
CVE-2024-2961
Gnutls
CVE-2025-32989
CVE-2025-32988
CVE-2025-32990
CVE-2025-6395
CVE-2025-32988
CVE-2026-3833
CVE-2026-33845
CVE-2026-3832
CVE-2026-42010
GRPC
CVE-2024-11407
CVE-2024-7246
Kernel
CVE-2026-31431
CVE-2026-43037
CVE-2026-43038
CVE-2026-43284
CVE-2026-46300
CVE-2026-43186
Libxpat
CVE-2026-24515
CVE-2025-59375
CVE-2026-41080
CVE-2026-32777
CVE-2026-32776
CVE-2026-32778
Libssh
CVE-2025-8114
CVE-2025-5351
CVE-2025-5987
CVE-2026-3731
Libtasn
CVE-2025-13151
Libxml
CVE-2025-7425
Ncurses
CVE-2025-6141
Nginx
CVE-2025-23419
CVE-2025-53859
Nghttp2
CVE-2026-27135
NTP
Via web-based management service any parameters for the NTP/chrony configuration could be written to the configuration file and applied accordingly.
Openssh
CVE-2025-61985
CVE-2025-61984
CVE-2025-32728
CVE-2026-35386
CVE-2026-35385
CVE-2026-35414
CVE-2026-35387
CVE-2026-35388
Support of the obsolete “+ssh-rsa” algorithm has now been removed. In order to maintain compatibility with older clients, the algorithm was explicitly reactivated in previous updates, despite being communicated as removed.
Openssl
CVE-2026-22796
CVE-2026-22795
CVE-2025-69421
CVE-2025-69420
CVE-2025-69419
CVE-2025-69418
CVE-2025-68160
CVE-2025-15467
CVE-2025-9230
CVE-2025-9232
CVE-2026-31790
CVE-2026-28390
CVE-2026-28389
CVE-2026-28388
CVE-2026-28387
CVE-2026-31789
OpenVPN
CVE-2025-13086
PROFINET
A malformed LLDP frame could cause a crash (stack overflow) and potential code execution.
Python
CVE-2025-13837
CVE-2025-12084
CVE-2025-13836
Rapidjson
CVE-2024-39684
RSC
A manipulated message interrupted the RSC communication to the PLCnext Engineer. In addition, the internal CPU system load increased up to 100 %.
Calls to internal RSC services without SecurityStub were allowed if the providing component was running in another process than the RscGateway.
Rsync
CVE-2025-10158
CVE-2026-43617
CVE-2026-45232
CVE-2026-43619
CVE-2026-43620
CVE-2026-41035
CVE-2026-43618
CVE-2026-29518
RSC file service
Read/write access to app directories via the RSC service “Read/Write” was denied on “secure-by-default” devices.
System
CVE-2025-41669
By activating the remote gRPC server, it was possible to use every available endpoint without authentication. This includes for example reading and writing GDS variables, as well as restarting the device, and processing a factory reset.
Missing certificates in case of project integrity in the Trust Store Code Signing led to unclear security notifications.
Writing primitive variables using “IDataAccessService::Write” instead of “IDataAccessService::WriteSingle”, the additional information “from <oldValue> to <newValue>” was missing in the corresponding security notification.
The AppManager did not lock the loading of an app in time to prevent the PlcManager from loading the eCLR project. This led to an impairment of cybersecurity, as the loaded code could still be executed in the event of an expired license.
A standard user on the device was able to access any files on the device. This situation was caused by misconfigured sudo permissions associated with the “nft” binary.
In case of user handling some notifications showed internal user-related information.
Systemd
CVE-2026-40226
Sqlite
CVE-2025-6965
CVE-2025-7709
CVE-2025-52099
WBM
CVE-2025-41771
The WBM certificate management was unable to add PEM certificates which contained “CRLF” instead of “LF”.
In LDAP/LDAPs WBM configuration, a port setting was not reset to default if the port was removed on existing configurations.
In connection with certificate management, security notifications were not generated anymore.