CVE-2023-37857 LOW

CVE-2023-37857: PHOENIX CONTACT: Use of Hard-coded Credentials in WP 6xxx Web panels

Vendor Phoenix Contact
Product WP 6070-WVPS
Weakness CWE-798 · Hardcoded credentials
Published August 9, 2023
Last update October 8, 2024

CVSS base score

3.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. These session-cookies created by the attacker are not sufficient to obtain a valid session on the device.

Key dates

02Disclosure timeline

August 9, 2023 CVE published
October 8, 2024 Record updated