OTPulse
FeedAboutContact

ICSA-20-063-02_PHOENIX CONTACT Emalytics Controller ILC

Act Now9.4ICS-CERT ICSA-20-063-02Mar 3, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Phoenix Contact ILC 2050 controllers (both BI and BI-L models) contain a file permission vulnerability (CWE-732) that allows unauthenticated remote code execution over the network. The vulnerability affects all firmware versions prior to 1.2.3. An attacker can gain arbitrary code execution on the controller without requiring any credentials or user interaction, potentially leading to complete compromise of the device and the processes it controls. Phoenix Contact has released updated Emalytics engineering software (v1.2.3 or higher) that must be deployed and the controllers recommissioned to remediate the issue.

What this means
What could happen
An attacker with network access to the ILC 2050 controller could execute arbitrary code and gain full control over the device, allowing them to modify process parameters, stop operations, or cause equipment damage in water treatment or industrial automation environments.
Who's at risk
Water utilities, municipal electric systems, and industrial automation facilities using Phoenix Contact ILC 2050 controllers for process automation, pump control, or distributed logic. Both the BI-L and BI (standard) models are affected across all firmware versions prior to 1.2.3.
How it could be exploited
An attacker on the network segment containing the ILC 2050 can send a specially crafted network request to exploit a file permission vulnerability (CWE-732) in the controller firmware. This allows remote code execution without requiring any credentials or authentication. Once the code runs, the attacker has the same privileges as the controller itself.
Prerequisites
  • Network access to the ILC 2050 controller on its management or control port
  • ILC 2050 running firmware version 1.2.2 or earlier
remotely exploitableno authentication requiredlow complexityno patch availablehigh integrity impact
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
ILC 2050 BI (Article number 2403160): all< 1.2.31.2.3
ILC 2050 BI-L (Article number 2404671): all< 1.2.31.2.3
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGIsolate the ILC 2050 controller on a separate network segment behind a firewall, blocking all inbound network access except from authorized engineering workstations
HARDENINGIf remote access to the controller is required, implement a VPN connection from a secured gateway and disable direct Internet exposure of the device
HARDENINGImplement network access controls to prevent communication from untrusted network segments to the controller
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Emalytics engineering software to version 1.2.3 or higher and recommission the ILC 2050 controllers
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/192b5159-c61d-4c51-8f80-bacf43ac5204
ICSA-20-063-02_PHOENIX CONTACT Emalytics Controller ILC | CVSS 9.4 - OTPulse