Critical Vulnerability Information Vulnerability ID VDE-2025-063 Release and Update Time Release Time: 2025-08-12 10:00 (CEST) Last Updated: 2025-08-12 10:29 (CEST) Vendor and Product Vendor: PHOENIX CONTACT GmbH & Co. KG Product Name: DaUM Affected Versions: < 2025.3.1 Vulnerability Overview Description: A privilege escalation vulnerability exists in the Phoenix Contact Device and Update Management Windows Installer. Due to improper permission configuration of nssm.exe in DAUM-WINDOWS-SERVICE, a low-privileged local user can execute arbitrary code to gain administrative privileges. CVE Information CVE ID: CVE-2025-41886 Last Updated: August 8, 2025, 15:12 Severity: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Weakness Type: Missing Authentication for Critical Function (CWE-308) Impact and Mitigation Impact: The product’s installer allows privilege escalation to administrator level due to nssm.exe. nssm.exe is an open-source tool used to simplify Windows service management. If nssm.exe permissions are not properly protected, it may lead to privilege escalation attacks from low-privileged users to administrators. Mitigation: - General Recommendation: Phoenix Contact recommends operating network devices in closed networks or environments protected by appropriate firewalls. For measures to protect network devices, refer to the application notes. - Fix: Upgrade to the latest DaUM version 2025.3.1. Reporter CERT@VDE in coordination with Phoenix Contact GmbH & Co. KG