Several newly disclosed flaws in Phoenix Contact’s QUINT4 uninterruptible power supply (UPS) systems could let attackers cut power or steal credentials from industrial networks. The company has released firmware updates to address most of the issues, but one critical flaw remains unpatched because fixing it would disrupt legitimate device functions.
Researchers from CyberDanube discovered the vulnerabilities and warned that they could be exploited remotely by unauthenticated attackers. The most severe of these flaws, tracked as CVE-2025-41703, allows an attacker to send a Modbus command that shuts down the UPS output entirely. In practice, this can trigger a permanent denial-of-service condition that prevents remote restoration—a so-called “denial of power service.”
Four of the five reported flaws—CVE-2025-41703, CVE-2025-41704, CVE-2025-41706, and CVE-2025-41707—enable denial-of-service attacks. A fifth issue, CVE-2025-41705, exposes passwords by leaking information through unsecured Webfrontend communication. An attacker positioned between a user and the device could intercept these credentials and use them to gain access.
Phoenix Contact has released firmware version VC:07 to patch most of the vulnerabilities across several QUINT4-UPS EtherNet/IP models. However, CVE-2025-41703 remains unresolved because altering its core behavior would affect normal Modbus functionality. The company recommends isolating affected devices on internal industrial networks and protecting them with strong firewall rules.
CyberDanube confirmed that these UPS products are intended for closed environments and that it found no evidence of internet-exposed devices. Still, if an organization were to make these systems accessible online, an attacker could exploit the flaws directly over the web. In most real-world scenarios, the attacker would first need to breach the internal network that houses the UPS units before launching an attack.
The danger lies in how easily these flaws can disrupt industrial operations. Power backup systems are critical in maintaining uptime for factories, utilities, and infrastructure sites. A targeted attack that cuts off power at the UPS level could halt production lines, damage connected equipment, or endanger safety systems that rely on uninterrupted power flow. For organizations using QUINT4 units, this is not a theoretical concern—it’s a call for immediate action.
Operators are urged to install the latest firmware updates, but also to review their network segmentation. UPS devices should not be reachable from enterprise IT networks or the public internet. Limiting Modbus/TCP communications to trusted management subnets, enforcing access controls, and monitoring traffic for abnormal commands can significantly reduce exposure. Because the most critical flaw cannot be remotely fixed, teams should prepare for on-site recovery if a device becomes unresponsive.
This incident highlights a growing challenge in industrial cybersecurity. UPS systems, sensors, and controllers are no longer isolated hardware—they are connected computing devices running firmware and network protocols. As these systems gain connectivity, they also inherit the same vulnerabilities that plague IT infrastructure. A single weak point in an operational technology (OT) network can have far-reaching physical consequences.
For industrial operators, defending against Phoenix Contact UPS vulnerabilities means taking a layered approach. Start by checking firmware versions and ensuring that VC:07 is deployed where applicable. Then, restrict Modbus access to local control networks and prevent external management sessions. Finally, monitor your systems continuously and establish a recovery plan in case a UPS enters a permanent denial-of-service state.
Power continuity depends on cybersecurity as much as on hardware reliability. Addressing these vulnerabilities promptly is essential to keeping industrial networks safe and operational.
