CVE-2023-37858 MEDIUM

CVE-2023-37858: PHOENIX CONTACT: Use of Hard-coded Credentials in WP 6xxx Web panels

Vendor Phoenix Contact
Product WP 6070-WVPS
Weakness CWE-311 · Missing encryption
Published August 9, 2023
Last update August 2, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing to decrypt an encrypted web application login password.

Key dates

02Disclosure timeline

August 9, 2023 CVE published
August 2, 2024 Record updated