Phoenix Contact ProConOS and MULTIPROG

Act Now9.8ICS-CERT ICSA-22-172-04Jun 21, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in ProConOS, ProConOS eCLR, and MULTIPROG control system kernels allows an attacker with access to the network communication path to upload arbitrary malicious code to affected controllers without authentication. The vulnerability exists in the code upload functionality and could allow an attacker to modify controller logic, bypass safety functions, or halt operations. Successful exploitation requires only network access to the controller communication interface and no credentials.

What this means

What could happen

An attacker with access to the communication path to a ProConOS, ProConOS eCLR, or MULTIPROG controller could upload and run malicious code, potentially altering process logic, stopping operations, or corrupting control logic permanently.

Who's at risk

This affects all organizations operating automation equipment, programmable logic controllers (PLCs), and industrial controllers built on Phoenix Contact's ProConOS, ProConOS eCLR, or MULTIPROG platforms. This includes manufacturers in water treatment, wastewater, power generation, manufacturing, and other process industries that rely on these control system kernels.

How it could be exploited

An attacker must first gain access to the network communication between an engineering workstation and the ProConOS/ProConOS eCLR/MULTIPROG controller. Once on the network path, the attacker can send malicious code to upload arbitrary logic to the controller without authentication.

Prerequisites

Network access to communication path between engineering workstation and controller
Ability to intercept or send traffic to the controller's communication port (typically Ethernet/IP or similar)
No valid credentials required

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects safety and control systemsHigh CVSS score (9.8)

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

MULTIPROG: All versionsAll versionsNo fix (EOL)

ProConoS: All versionsAll versionsNo fix (EOL)

ProConoS eCLR: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

HARDENINGImplement network segmentation to isolate OT zones and place controllers behind firewalls that block unauthorized access

HARDENINGEnsure engineering workstations and controllers are located in a locally protected environment; use VPN with encryption for any remote access to the engineering tools

WORKAROUNDDo not transmit project data over unprotected channels; use protected environments for all logic transfer and storage, and add integrity/authenticity checks if file transfer is necessary

HARDENINGIsolate all ProConOS, ProConOS eCLR, and MULTIPROG-based devices from the business network and ensure they are not accessible from the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGReview and update manufacturer security advisories for any devices using ProConOS/ProConOS eCLR, and check your automation device vendors for product-specific guidance

CVEs (1)

CVE-2022-31801

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9a650f8e-80fc-4948-a576-4ef37b3eef37