CVE-2023-37857: PHOENIX CONTACT: Use of Hard-coded Credentials in WP 6xxx Web panels
First published: Wed Aug 09 2023(Updated: )
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. These session-cookies created by the attacker are not sufficient to obtain a valid session on the device.
Credit: info@cert.vde.com info@cert.vde.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Phoenixcontact Wp 6070-wvps Firmware | <4.0.10 | |
| Phoenixcontact Wp 6070-wvps | ||
| Phoenixcontact Wp 6101-wxps Firmware | <4.0.10 | |
| Phoenixcontact Wp 6101-wxps | ||
| Phoenixcontact Wp 6121-wxps Firmware | <4.0.10 | |
| Phoenixcontact Wp 6121-wxps | ||
| Phoenixcontact Wp 6156-whps Firmware | <4.0.10 | |
| Phoenixcontact Wp 6156-whps | ||
| Phoenixcontact Wp 6185-whps Firmware | <4.0.10 | |
| Phoenixcontact Wp 6185-whps | ||
| Phoenixcontact Wp 6215-whps Firmware | <4.0.10 | |
| Phoenixcontact Wp 6215-whps |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-37857?
CVE-2023-37857 is a vulnerability in PHOENIX CONTACT's WP 6xxx series web panels that allows an authenticated remote attacker with admin privileges to read hardcoded cryptographic keys and create valid session cookies.
How severe is CVE-2023-37857?
CVE-2023-37857 has a severity rating of 7.2 (high).
Which versions of PHOENIX CONTACT's WP 6xxx series web panels are affected by CVE-2023-37857?
Versions prior to 4.0.10 of PHOENIX CONTACT's WP 6xxx series web panels are affected by CVE-2023-37857.
How can an attacker exploit CVE-2023-37857?
An attacker with admin privileges can exploit CVE-2023-37857 to read hardcoded cryptographic keys and create valid session cookies, potentially bypassing web service authentication.
Is there a fix for CVE-2023-37857?
Updating PHOENIX CONTACT's WP 6xxx series web panels to version 4.0.10 or later will fix CVE-2023-37857.
- collector/nvd-index
- collector/nvd-api
- agent/references
- agent/weakness
- agent/title
- agent/severity
- agent/author
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/phoenixcontact
- canonical/phoenixcontact wp 6070-wvps firmware
- canonical/phoenixcontact wp 6070-wvps
- canonical/phoenixcontact wp 6101-wxps firmware
- canonical/phoenixcontact wp 6101-wxps
- canonical/phoenixcontact wp 6121-wxps firmware
- canonical/phoenixcontact wp 6121-wxps
- canonical/phoenixcontact wp 6156-whps firmware
- canonical/phoenixcontact wp 6156-whps
- canonical/phoenixcontact wp 6185-whps firmware
- canonical/phoenixcontact wp 6185-whps
- canonical/phoenixcontact wp 6215-whps firmware
- canonical/phoenixcontact wp 6215-whps