PHOENIX CONTACT PLCNext AXC F 2152

Act NowCVSS 9.8ICS-CERT ICSA-19-155-01Jun 4, 2019

Phoenix ContactWAGOManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The AXC F 2152 controller contains multiple critical vulnerabilities spanning weak encryption (CWE-326), authentication bypass (CWE-287, CWE-284), buffer overflows (CWE-787, CWE-119), and input validation flaws (CWE-20). These flaws allow an attacker with network access to decrypt stored passwords, bypass authentication, cause denial of service, and potentially trigger unintended interactions with third-party systems. Vulnerabilities also relate to improper SD card handling and insecure OPC security policies (CWE-295, CWE-327). Version 1.x has no fix available from the vendor.

What this means

What could happen

An attacker could decrypt stored passwords, bypass authentication on the PLC, or disrupt communications with the controller. These vulnerabilities could also be chained with other exploits to compromise the integrity and availability of industrial processes.

Who's at risk

Manufacturing facilities using Phoenix Contact AXC F 2152 PLCs (article numbers 2404267 and 1046568 Starterkit) should be concerned. This controller is commonly used for process automation in factories, food and beverage production, and packaging lines. Any facility relying on this PLC for critical operations is at risk.

How it could be exploited

An attacker with network access to the AXC F 2152 controller could exploit weak encryption (CWE-326), authentication bypass (CWE-287, CWE-284), or buffer overflow flaws (CWE-787, CWE-119) to gain unauthorized access. The attacker could then extract credentials, disable the device, or alter process parameters that control manufacturing operations.

Prerequisites

Network access to the AXC F 2152 controller on port 502 (Modbus) or OPC server ports
Default or weak OPC security policy (Basic128Rsa15) enabled on the device
SD card containing sensitive data accessible to the attacker

Remotely exploitableNo authentication required for some attack pathsLow complexity exploitationHigh EPSS score (58%)No patch available for version 1.xAffects safety-critical industrial controllersWeak default OPC security policies

Exploitability

Likely to be exploited — EPSS score 86.7%

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (5)

3 with fix2 pending

ProductAffected VersionsFix Status

852-1305<V1.1.6.S0V1.1.6.S0

852-1505<V1.1.5.S0V1.1.5.S0

852-303<V1.2.2.S0V1.2.2.S0

AXC F 2152: article number 24042672404267 version 1.xNo fix yet

AXC F 2152: article number 1046568 (Starterkit)1046568 (Starterkit) version 1.xNo fix yet

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDDisable Basic128Rsa15 security policy in OPC Servers configuration; use only Basic256 or higher

HARDENINGFollow SD card usage guidance in manual Art.-Nr. 107708 to prevent unauthorized SD card access

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to release 2019.0 LTS or later

HOTFIXUpdate PLCNext Engineer to release 2019.0 LTS or later

HARDENINGConfigure notification manager to monitor SD card exchanges by the application program

Long-term hardening

0/3

HARDENINGOperate the device in a closed network or behind a firewall

HARDENINGPlace the PLC in a physically secure area to prevent direct access

HARDENINGIf remote access is required, use a VPN with the latest security updates

CVEs (64)

CVE-2010-3856 CVE-2011-2716 CVE-2012-4412 CVE-2014-4043 CVE-2014-9402 CVE-2015-1472 CVE-2011-5325 CVE-2014-9761 CVE-2014-9984 CVE-2015-9261 CVE-2016-2147 CVE-2016-2148 CVE-2017-16544 CVE-2019-12549 CVE-2019-12550 CVE-2015-0235 CVE-2013-1813 CVE-2010-0296 CVE-2018-7559 CVE-2019-10998 CVE-2019-10997 CVE-2017-8816 CVE-2016-9953 CVE-2017-8817 CVE-2017-11541 CVE-2017-11542 CVE-2017-11543 CVE-2017-5334 CVE-2017-5336 CVE-2016-9841 CVE-2018-1000120 CVE-2017-5337 CVE-2016-9843 CVE-2017-1000257 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1000005 CVE-2016-9842 CVE-2016-9840 CVE-2016-9952 CVE-2016-1247 CVE-2017-9023 CVE-2016-6301 CVE-2016-7141 CVE-2016-7444 CVE-2018-1000121 CVE-2017-1000254 CVE-2017-11108 CVE-2017-11185 CVE-2017-3731 CVE-2017-9233 CVE-2017-5335 CVE-2017-9022 CVE-2018-1000117 CVE-2018-5388 CVE-2017-1000101 CVE-2017-1000100 CVE-2016-7103 CVE-2015-9251 CVE-2017-3738 CVE-2018-0737 CVE-2017-3737 CVE-2017-15906 CVE-2017-3735

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/29243497-cf39-40ca-9d0d-fef3d74a0f04

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.