CVE-2020-12499

PHOENIX CONTACT PLCnext Engineer version 2020.3.1 and earlier: Improper path sanitation vulnerability.

Description

In PHOENIX CONTACT PLCnext Engineer version 2020.3.1 and earlier an improper path sanitation vulnerability exists on import of project files.

Solution:

Temporary Fix / Mitigation: We strongly recommend customers to exchange project files only using secure file exchange services. Project files should not be exchanged via unencrypted email. Users should avoid importing project files from unknown source and exchange or store project files together with a checksum to ensure their integrity.
Remediation: Phoenix Contact strongly recommends updating to the latest version PLCnext Enineer 2020.6 or higher, which fixes this vulnerability.

Link	Tags
https://cert.vde.com/en-us/advisories/vde-2020-025	third party advisory

What is the severity of CVE-2020-12499?: CVE-2020-12499 has been scored as a high severity vulnerability.
How to fix CVE-2020-12499?: To fix CVE-2020-12499: Temporary Fix / Mitigation: We strongly recommend customers to exchange project files only using secure file exchange services. Project files should not be exchanged via unencrypted email. Users should avoid importing project files from unknown source and exchange or store project files together with a checksum to ensure their integrity.
Is CVE-2020-12499 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2020-12499 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-12499?: CVE-2020-12499 affects PHOENIX CONTACT PLCnext Engineer.