PHOENIX CONTACT PLCNext AXC F 2152
Act Now9.8ICS-CERT ICSA-19-155-01Jun 4, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The AXC F 2152 controller contains multiple critical vulnerabilities spanning weak encryption (CWE-326), authentication bypass (CWE-287, CWE-284), buffer overflows (CWE-787, CWE-119), and input validation flaws (CWE-20). These flaws allow an attacker with network access to decrypt stored passwords, bypass authentication, cause denial of service, and potentially trigger unintended interactions with third-party systems. Vulnerabilities also relate to improper SD card handling and insecure OPC security policies (CWE-295, CWE-327). Version 1.x has no fix available from the vendor.
What this means
What could happen
An attacker could decrypt stored passwords, bypass authentication on the PLC, or disrupt communications with the controller. These vulnerabilities could also be chained with other exploits to compromise the integrity and availability of industrial processes.
Who's at risk
Manufacturing facilities using Phoenix Contact AXC F 2152 PLCs (article numbers 2404267 and 1046568 Starterkit) should be concerned. This controller is commonly used for process automation in factories, food and beverage production, and packaging lines. Any facility relying on this PLC for critical operations is at risk.
How it could be exploited
An attacker with network access to the AXC F 2152 controller could exploit weak encryption (CWE-326), authentication bypass (CWE-287, CWE-284), or buffer overflow flaws (CWE-787, CWE-119) to gain unauthorized access. The attacker could then extract credentials, disable the device, or alter process parameters that control manufacturing operations.
Prerequisites
- Network access to the AXC F 2152 controller on port 502 (Modbus) or OPC server ports
- Default or weak OPC security policy (Basic128Rsa15) enabled on the device
- SD card containing sensitive data accessible to the attacker
Remotely exploitableNo authentication required for some attack pathsLow complexity exploitationHigh EPSS score (58%)No patch available for version 1.xAffects safety-critical industrial controllersWeak default OPC security policies
Exploitability
High exploit probability (EPSS 58.0%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
AXC F 2152: article number 24042672404267 version 1.xNo fix yet
AXC F 2152: article number 1046568 (Starterkit)1046568 (Starterkit) version 1.xNo fix yet
Remediation & Mitigation
0/8
Do now
0/2WORKAROUNDDisable Basic128Rsa15 security policy in OPC Servers configuration; use only Basic256 or higher
HARDENINGFollow SD card usage guidance in manual Art.-Nr. 107708 to prevent unauthorized SD card access
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate firmware to release 2019.0 LTS or later
HOTFIXUpdate PLCNext Engineer to release 2019.0 LTS or later
HARDENINGConfigure notification manager to monitor SD card exchanges by the application program
Long-term hardening
0/3HARDENINGOperate the device in a closed network or behind a firewall
HARDENINGPlace the PLC in a physically secure area to prevent direct access
HARDENINGIf remote access is required, use a VPN with the latest security updates
CVEs (46)
CVE-2018-7559CVE-2019-10998CVE-2019-10997CVE-2017-8816CVE-2016-9953CVE-2017-8817CVE-2017-11541CVE-2017-11542CVE-2017-11543CVE-2017-5334CVE-2017-5336CVE-2016-9841CVE-2018-1000120CVE-2017-5337CVE-2016-9843CVE-2017-1000257CVE-2018-1000122CVE-2018-1000301CVE-2018-1000005CVE-2016-9842CVE-2016-9840CVE-2016-9952CVE-2016-1247CVE-2017-9023CVE-2016-6301CVE-2016-7141CVE-2016-7444CVE-2018-1000121CVE-2017-1000254CVE-2017-11108CVE-2017-11185CVE-2017-3731CVE-2017-9233CVE-2017-5335CVE-2017-9022CVE-2018-1000117CVE-2018-5388CVE-2017-1000101CVE-2017-1000100CVE-2016-7103CVE-2015-9251CVE-2017-3738CVE-2018-0737CVE-2017-3737CVE-2017-15906CVE-2017-3735
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/29243497-cf39-40ca-9d0d-fef3d74a0f04