Phoenix Contact Automation Worx Software Suite

Monitor7.8ICS-CERT ICSA-20-191-01Jul 9, 2020

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Phoenix Contact Automation Worx Software Suite (PC Worx and PC Worx Express versions 1.87 and earlier) contains a buffer overflow vulnerability (CWE-121) and out-of-bounds read vulnerability (CWE-125) in project file parsing. Successful exploitation allows arbitrary code execution under the privileges of the application. The vulnerability is triggered when a user opens a specially crafted project file. These vulnerabilities are not remotely exploitable and require local file handling. Phoenix Contact has announced that the next version will implement improved input validation for file size and object references, but no fixed version is currently available.

What this means

What could happen

An attacker could execute arbitrary code with the privileges of the Automation Worx application if they can trick an operator into opening a malicious project file, potentially altering control logic or shutting down engineering workstations.

Who's at risk

Engineering and control system operators at utilities and manufacturing facilities who use Phoenix Contact's Automation Worx software to develop and maintain PLC logic and automation projects. This includes water treatment plants, electric utilities, and manufacturing sites that rely on PC Worx or PC Worx Express for system configuration and commissioning.

How it could be exploited

An attacker crafts a malicious Automation Worx project file with a buffer overflow or out-of-bounds read payload. The file is delivered to an operator (e.g., via email or file sharing) and opened in PC Worx or PC Worx Express, triggering code execution during file parsing. The attacker gains the privileges of the application process on the workstation.

Prerequisites

User must open a malicious project file in PC Worx or PC Worx Express
File delivery method (email, USB, file share)
No special network access required—this is a local file handling vulnerability

No patch availableLow attack complexityUser interaction required (file opening)Affects engineering workstations and development environments

Exploitability

Moderate exploit probability (EPSS 8.4%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

PC Worx Express:≤ 1.87No fix (EOL)

PC Worx:≤ 1.87No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDo not open Automation Worx project files from untrusted or unexpected sources

HARDENINGExchange project files only via secure file exchange services, never unencrypted email

HARDENINGUse checksums or digital signatures to verify project file integrity before opening

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: PC Worx Express:, PC Worx:. Apply the following compensating controls:

HARDENINGIsolate engineering workstations from the Internet and restrict file transfer methods

HARDENINGMonitor for suspicious file activity or unexpected project file modifications

CVEs (2)

CVE-2020-12497 CVE-2020-12498

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aac728db-bc7e-43e9-b0d1-a159198d4b90