PHOENIX CONTACT Automation Worx Software Suite

Monitor7.8ICS-CERT ICSA-19-302-01Oct 29, 2019

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A vulnerability in Phoenix Contact Automation Worx Software Suite (PC Worx, PC Worx Express, and Config+ versions 1.86 and earlier) allows improper validation of project file input data, specifically arrays with invalid dimensions. Opening a malicious project file could allow an attacker to execute arbitrary code on the engineering workstation. While the running automation systems themselves are not directly affected, an attacker could modify automation logic, steal credentials, or plant backdoors in legitimate programs before deployment. The vulnerability is triggered by user interaction (opening a file) and requires social engineering or file delivery via email or file-sharing services.

What this means

What could happen

A malicious project file could compromise the development environment and allow an attacker to steal or modify automation logic before it reaches production control systems. While the running automated systems themselves are not directly impacted, the integrity of the engineering workstations used to program them is at risk.

Who's at risk

Engineering and automation programming teams using Phoenix Contact's PC Worx, PC Worx Express, or Config+ software on their development workstations. This affects anyone responsible for creating or modifying PLC/automation logic for water treatment, wastewater, power generation, or other industrial processes.

How it could be exploited

An attacker crafts a malicious project file with invalid array dimensions and sends it to an engineer via email or file-sharing service. When the engineer opens the file in PC Worx, Config+, or PC Worx Express, improper input validation allows the attacker's data to execute code on the workstation, potentially giving them access to other project files, credentials, or the ability to inject backdoors into legitimate automation programs.

Prerequisites

Project file must be opened in one of the affected PC Worx products (versions 1.86 or earlier)
User interaction required: engineer must explicitly open a malicious project file
Access to deliver file via email, file-sharing service, or removable media to an authorized user

User interaction required to exploit (file must be opened)No patch currently availableLow technical complexity to craft malicious fileCould allow supply-chain compromise of automation programsAffects engineering workstations, not directly safety systems

Exploitability

Moderate exploit probability (EPSS 7.0%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

PC Worx:≤ 1.86No fix (EOL)

Config+:≤ 1.86No fix (EOL)

PC Worx Express:≤ 1.86No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDUse secure file exchange services with encryption for all project file transfers; do not use unencrypted email

HARDENINGTrain engineering staff to verify the source and integrity of project files before opening, especially those from external sources or unsolicited communications

HARDENINGRestrict project file handling to trusted internal channels and implement file integrity checks (hashing/signing) when possible

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to the next version of Automation Worx Software Suite when released by Phoenix Contact (expected end of 2019)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: PC Worx:, Config+:, PC Worx Express:. Apply the following compensating controls:

HARDENINGSegregate engineering workstations on a restricted network segment without direct access to production control systems

CVEs (1)

CVE-2019-16675

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3896af72-3b05-4acf-a1dc-402873476948