CVE-2023-37858

MEDIUM

Phoenixcontact WP 6070-wvps Firmware < 4.0.10 - Missing Encryption

Title source: rule

Description

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing to decrypt an encrypted web application login password.

References (1)

[Third Party Advisory] https://cert.vde.com/en/advisories/VDE-2023-018/

Scores

CVSS v3 4.9

EPSS 0.0003

EPSS Percentile 7.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-311

Status published

Products (6)

phoenixcontact/wp_6070-wvps_firmware < 4.0.10

phoenixcontact/wp_6101-wxps_firmware < 4.0.10

phoenixcontact/wp_6121-wxps_firmware < 4.0.10

phoenixcontact/wp_6156-whps_firmware < 4.0.10

phoenixcontact/wp_6185-whps_firmware < 4.0.10

phoenixcontact/wp_6215-whps_firmware < 4.0.10

Published Aug 09, 2023

Tracked Since Feb 18, 2026