ICSA-20-063-02_PHOENIX CONTACT Emalytics Controller ILC

Plan PatchCVSS 9.4ICS-CERT ICSA-20-063-02Feb 17, 2020

Phoenix ContactHealthcare

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Phoenix Contact ILC 2050 controllers (both BI and BI-L models) contain a file permission vulnerability (CWE-732) that allows unauthenticated remote code execution over the network. The vulnerability affects all firmware versions prior to 1.2.3. An attacker can gain arbitrary code execution on the controller without requiring any credentials or user interaction, potentially leading to complete compromise of the device and the processes it controls. Phoenix Contact has released updated Emalytics engineering software (v1.2.3 or higher) that must be deployed and the controllers recommissioned to remediate the issue.

What this means

What could happen

An attacker with network access to the ILC 2050 controller could execute arbitrary code and gain full control over the device, allowing them to modify process parameters, stop operations, or cause equipment damage in water treatment or industrial automation environments.

Who's at risk

Water utilities, municipal electric systems, and industrial automation facilities using Phoenix Contact ILC 2050 controllers for process automation, pump control, or distributed logic. Both the BI-L and BI (standard) models are affected across all firmware versions prior to 1.2.3.

How it could be exploited

An attacker on the network segment containing the ILC 2050 can send a specially crafted network request to exploit a file permission vulnerability (CWE-732) in the controller firmware. This allows remote code execution without requiring any credentials or authentication. Once the code runs, the attacker has the same privileges as the controller itself.

Prerequisites

Network access to the ILC 2050 controller on its management or control port
ILC 2050 running firmware version 1.2.2 or earlier

remotely exploitableno authentication requiredlow complexityno patch availablehigh integrity impact

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

ILC 2050 BI<1.2.31.2.3

ILC 2050 BI-L<1.2.31.2.3

ILC 2050 BI (Article number 2403160): all< 1.2.31.2.3

ILC 2050 BI-L (Article number 2404671): all< 1.2.31.2.3

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate the ILC 2050 controller on a separate network segment behind a firewall, blocking all inbound network access except from authorized engineering workstations

HARDENINGIf remote access to the controller is required, implement a VPN connection from a secured gateway and disable direct Internet exposure of the device

HARDENINGImplement network access controls to prevent communication from untrusted network segments to the controller

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Emalytics engineering software to version 1.2.3 or higher and recommission the ILC 2050 controllers

CVEs (1)

CVE-2020-8768

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/192b5159-c61d-4c51-8f80-bacf43ac5204

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.