CVE Alert: CVE-2025-41703 – Phoenix Contact – QUINT4-UPS/24DC/24DC/5/EIP

**Risk verdict**: High risk due to unauthenticated Modbus commands enabling remote denial of service on the UPS output; no known exploitation activity observed at present, but rapid threat remediations are warranted.

**Why this matters**: An attacker can disable critical power output without credentials, potentially causing unplanned outages and equipment disruption in industrial or data-centre environments. The goal may be service disruption, safety impact, or loss of availability for critical operations.

**Most likely attack path**: An attacker with network access targets the Modbus/TCP interface exposed to the network. With no privileges required, they issue a write command to turn off the UPS output, triggering a high-availability DoS without user interaction. The preconditions are a reachable Modbus service and a lack of authentication, with no lateral movement required beyond this device.

**Who is most exposed**: Organisations deploying UPS units in industrial/OT environments or tightly coupled data/operations networks where Modbus interfaces are accessible from IT or remote networks are at greatest risk.

**Detection ideas**:

• Unauthorised Modbus write commands to UPS control registers.
• Sudden output-off/shutdown events reported by the UPS.
• Anomalous Modbus/TCP traffic to the device, especially unusual function codes.
• Logs showing Modbus commands without preceding authentication.
• Power disruption alerts correlated with remote management activity.

**Mitigation and prioritisation**:

• Patch to fixed software/release when vendor updates are available.
• Disable or tightly restrict Modbus/TCP access to trusted networks and devices; implement ACLs and network segmentation.
• Enforce strong access controls on management networks; remove or lock down exposed interfaces.
• Monitor Modbus activity and correlate with UPS state changes; alert on outbound control commands.
• If KEV is present or EPSS ≥ 0.5 (data currently missing), treat as priority 1; otherwise escalate promptly but within an active-change window. If data is missing, confirm EPSS and KEV status to refine urgency.