CVE-2023-37857
LowCVSS 3.8Exploitation Probability (EPSS)
Low risk35th percentile — higher than 35% of all known CVEs
Summary
In PHOENIX CONTACT's WP 6xxx series web panels in versions prior to 4.0.10, an authenticated remote attacker with admin privileges can read hardcoded cryptographic keys, allowing the attacker to create valid session cookies.
Risk Assessment
The attacker may use these cookies to attempt to gain access to the device, although the cookies alone are not sufficient to establish a valid session.
Recommendation
It is recommended to update the panels to version 4.0.10 or later to mitigate this vulnerability.
Original NVD description (English source)
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. These session-cookies created by the attacker are not sufficient to obtain a valid session on the device.

