Critical cybersecurity vulnerabilities in Phoenix Contact’s QUINT4 uninterruptible power supply (UPS) devices could leave industrial systems exposed to remote attacks capable of shutting down power delivery and harvesting user credentials. The flaws — including five tracked under distinct CVEs — were disclosed by security researchers from CyberDanube and have since been partially addressed by firmware updates from the vendor.
The vulnerabilities affect EtherNet/IP variants of the QUINT4 UPS series, primarily intended for use in isolated industrial environments. However, if those devices are exposed to the internet, attackers could remotely exploit the flaws without authentication, leading to a denial-of-service (DoS) or credential compromise scenario.
Denial-of-Service Flaws Threaten Availability of Power Infrastructure
Phoenix Contact confirmed multiple vulnerabilities that may allow attackers to disable UPS output or freeze the device indefinitely, potentially interrupting critical operations that depend on continuous power.
CVE-2025-41703: Critical Power-Off Vulnerability Via Modbus
Perhaps the most immediate threat among the discovered issues is CVE-2025-41703, which permits an unauthenticated attacker to send specially crafted Modbus TCP commands to disable the UPS output. This results in what researchers describe as a “denial of power service.” Because Modbus is widely supported and often used in industrial control systems, the risk of exploitation is significant in incorrectly segmented networks.
Phoenix Contact has not addressed this vulnerability in firmware VC:07, stating that a patch would interfere with legitimate Modbus-based functionalities. As a mitigation, the company strongly recommends deploying these devices only in isolated industrial networks that are protected with a firewall.
Additional CVEs Can Lead to Irrecoverable Device Lockouts
Three other vulnerabilities—CVE-2025-41704, CVE-2025-41706, and CVE-2025-41707—can enable a remote attacker to trigger a persistent denial-of-service condition. Once in this state, the device may become permanently non-responsive and unrecoverable via remote methods, effectively requiring physical intervention or replacement.
This could present a serious challenge for operators of large-scale or distributed systems who rely on remote device management. These types of disruptions also increase operational latency and downtime — major concerns in sectors where high availability is paramount.
Password Leakage Over Web Interface Adds to the Risk
In addition to DoS vectors, researchers flagged CVE-2025-41705, a flaw that allows an attacker in a man-in-the-middle position to intercept login credentials from the device’s web interface. This stems from insecure data handling practices that expose passwords during transit, making it trivial for attackers monitoring network traffic in inadequately protected environments to steal credentials and gain unauthorized access.
Although the vulnerability requires some level of network presence or access, it underscores the importance of proper network segmentation and encrypted communication between devices.
Firmware VC:07 Patches Most Issues, But Not All
To mitigate these risks, Phoenix Contact released firmware version VC:07, which addresses CVE-2025-41704, CVE-2025-41705, CVE-2025-41706, and CVE-2025-41707 across the following product SKUs:
- 2907069: QUINT4-UPS/24DC/24DC/10/EIP (versions VC:00 through < VC:07)
- 2907074: QUINT4-UPS/24DC/24DC/20/EIP (versions VC:00 through < VC:07)
However, the vendor did not remediate CVE-2025-41703, citing its role in core system functionality. In response, Phoenix Contact recommends operating these UPS devices only in well-controlled, non-internet-facing environments and supplementing with firewall protections to restrict access to specific trusted hosts or network segments.
CyberDanube emphasized that their scans didn’t discover internet-exposed QUINT4 devices, confirming they’re generally used as intended—in isolated deployments. Nevertheless, securing Modbus access and restricting network communication to trusted hosts remain critical defense measures across both local and remote environments.
Wider Pattern of Vulnerabilities in Phoenix Contact Devices
Though the latest QUINT4 UPS vulnerabilities underscore a specific product risk, they fall within a broader ecosystem of security challenges across Phoenix Contact’s industrial product line.
For instance:
- Previous advisories from FoxGuard Solutions highlighted DoS risks in Phoenix Contact’s AXL F BK and IL BK controllers when exposed via port 80.
- Multiple flaws in the PLCnext platform, including CVE-2025-41665 through CVE-2025-41668, allow low-privileged adversaries to crash or control devices by manipulating filesystem components.
- Earlier issues such as CVE-2018-10730 and CVE-2018-10728 affected FL SWITCH Ethernet switches, enabling code execution and denial-of-service through improper input handling.
- Automation software included in the Automation Worx suite remained susceptible to remote code execution vulnerabilities for years via memory usage bugs.
This extended attack surface underscores consistent challenges around securely architecting devices used in operational technology (OT) and industrial control systems (ICS).
Recommendations: Network Isolation Is Crucial for UPS and ICS Devices
Given the inability to fully patch all identified vulnerabilities—particularly those involving critical system interfaces like Modbus—operators must rely heavily on architecture-level mitigations:
- Segment Devices in Isolated OT Networks : Use industrial firewalls to isolate power management systems from IT networks and the internet.
- Restrict Device Access with Whitelisting Rules : Only allow trusted programmatic access to the UPS via Modbus or EtherNet/IP.
- Monitor for Unusual Network Activity : Implement intrusion detection systems (IDS) capable of recognizing unexpected DoS attempts or unencrypted credential leaks.
- Apply All Available Firmware Updates : Upgrade to firmware VC:07 where applicable to mitigate most discovered issues.
The incident further highlights the urgent need for ICS and OT operators to review asset inventories, enforce strict network boundaries, and ensure vulnerability management extends beyond conventional IT endpoints to encompass critical power and automation components.
