Phoenix Contact Classic Line Controllers
Act Now9.8ICS-CERT ICSA-22-172-03Jun 21, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Phoenix Contact classic line controllers (AXC, ILC, RFC, FC 350 series, and PC WORX engineering software) allows unauthenticated upload of arbitrary logic code. Affected devices do not verify the origin or integrity of uploaded code before execution. An attacker with network access could upload malicious logic to alter process behavior, modify setpoints, or halt operations. The vulnerability affects all versions of these products and no vendor patch is planned.
What this means
What could happen
An attacker with network access to a Phoenix Contact classic line controller could upload arbitrary logic code, allowing them to modify process behavior, alter setpoints, stop operations, or cause equipment damage without detection.
Who's at risk
Water authorities, electric utilities, and any industrial facility running Phoenix Contact classic line controllers (AXC, ILC, RFC, FC 350 series) for process automation, protection relays, or remote terminal units. Any operator using PC WORX engineering software to manage these devices is affected.
How it could be exploited
An attacker sends malicious logic or firmware to the controller over the network (Modbus, Ethernet, or proprietary protocols). If the controller accepts unsigned or unverified code uploads, the attacker's logic runs with full control of the device, overriding normal process logic.
Prerequisites
- Network connectivity to the controller (Ethernet or serial/Modbus interface)
- No authentication required to upload logic
- Controller does not verify code signature or origin
- Device must be reachable from attacker's network segment
Remotely exploitableNo authentication requiredLow complexity attackNo patch available for any affected productAffects critical control devices (PLCs, protection relays, RTUs)Code execution allows full operational control
Exploitability
Moderate exploit probability (EPSS 1.6%)
Affected products (17)
17 EOL
ProductAffected VersionsFix Status
AXC 1050: Article number 27009882700988No fix (EOL)
AXC 3050: Article number 27009892700989No fix (EOL)
FC 350 PCI ETH: Article number 27308442730844No fix (EOL)
ILC 1x0: All variantsAll versionsNo fix (EOL)
ILC 1x1: All variantsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HARDENINGIsolate classic line controllers in a protected OT network segment behind a firewall with strict ingress/egress rules
HARDENINGRestrict engineering workstation connections to controllers to local-only or VPN-protected remote access; disable direct internet-facing access
HARDENINGRequire integrity and authenticity verification (digital signatures or checksums) before accepting any logic or project file uploads
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGStore all controller logic and project files in encrypted, access-controlled repositories—never email or transfer over unsecured channels
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: AXC 1050: Article number 2700988, AXC 3050: Article number 2700989, FC 350 PCI ETH: Article number 2730844, ILC 1x0: All variants, ILC 1x1: All variants, ILC 1x1 GSM/GPRS: Article number 2700977, ILC 3xx: All variants, PC WORX RT BASIC: Article number 2700291, PC WORX SRT: Article number 2701680, RFC 430 ETH-IB: Article number 2730190, RFC 450 ETH-IB: Article number 2730200, RFC 460R PN 3TX: Article number 2700784, RFC 470 PN 3TX: Article number 2916600, RFC 470S PN 3TX: Article number 2916794, RFC 480S PN 4TX: Article number 2404577, AXC 1050 XC: Article number 2701295, RFC 460R PN 3TX-S: Article number 1096407. Apply the following compensating controls:
HARDENINGImplement network segmentation and defense-in-depth: use firewalls to divide the plant into OT zones, restrict zone-to-zone traffic
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/61f106bd-20f4-4496-a612-c100fc6ec97a