Phoenix Contact Classic Line Industrial Controllers
Act Now9.8ICS-CERT ICSA-22-172-05Jun 21, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Phoenix Contact classic line industrial controllers lack authentication mechanisms in their control and configuration protocols. An unauthorized attacker with network access to an affected controller could change configurations, manipulate services, or cause denial-of-service conditions. The vulnerability affects multiple controller models across the AXC, ILC, RFC, and FC product lines, as well as PC WORX development platforms.
What this means
What could happen
An attacker on your network could reconfigure PLCs or other controllers without credentials, altering process setpoints, stopping production, or corrupting system configurations. This could impact any manufacturing process relying on these controllers.
Who's at risk
Manufacturing plants using Phoenix Contact classic line controllers for primary process control, including automotive, chemical processing, packaging, and discrete manufacturing facilities. Specific equipment affected includes AXC industrial automation controllers, ILC PLC variants, RFC remote fieldbus controllers, FC field controllers, and PC WORX engineering development workstations. Any facility relying on these devices for production control, material handling, or process sequencing should assess exposure.
How it could be exploited
An attacker with network access to a Phoenix Contact classic line controller on your LAN can send unauthenticated control or configuration commands directly to the device. The device will accept and execute these commands because the protocols do not validate sender identity. No special tools or code execution are required—protocol-level commands alone allow full control.
Prerequisites
- Network access to the controller (same LAN or routed path)
- No credentials or authentication required by design
- Knowledge of the controller's protocol (not widely public, but discoverable via port scanning and reverse engineering)
Remotely exploitable over networkNo authentication required by designLow attack complexityNo patches available for most productsAffects critical process control devicesHigh CVSS severity (9.8)
Exploitability
Moderate exploit probability (EPSS 1.6%)
Affected products (14)
14 EOL
ProductAffected VersionsFix Status
AXC 1050: Article number 27009882700988No fix (EOL)
AXC 3050: Article number 27009892700989No fix (EOL)
FC 350 PCI ETH: Article number 27308442730844No fix (EOL)
ILC 1x0: All variantsAll versionsNo fix (EOL)
ILC 1x1: All variantsAll versionsNo fix (EOL)
ILC 3xx: All variantsAll versionsNo fix (EOL)
PC WORX RT BASIC: Article number 27002912700291No fix (EOL)
PC WORX SRT: Article number 27016802701680No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGIsolate affected controllers to a closed industrial network not directly accessible from corporate networks or the internet. Do not route traffic to these devices from outside the control room LAN.
WORKAROUNDDeploy a firewall rule that blocks unauthenticated access to the controller's management and control ports from untrusted networks. Allow only traffic from engineering workstations and supervisory systems on the same network segment.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
WORKAROUNDFor controllers that support CPU services or web-based management (WBM), disable OT communication protocols via console or web interface according to Phoenix Contact's application note. See product-specific firmware versions listed in the advisory.
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: AXC 1050: Article number 2700988, AXC 3050: Article number 2700989, FC 350 PCI ETH: Article number 2730844, ILC 1x0: All variants, ILC 1x1: All variants, ILC 3xx: All variants, PC WORX RT BASIC: Article number 2700291, PC WORX SRT: Article number 2701680, RFC 430 ETH: Article number 2730190, RFC 450 ETH: Article number 2730200, RFC 460R: Article number 2700784, RFC 470S: Article number 2916794, RFC 480S: Article number 2404577, AXC 1050XC: Article number 2701295. Apply the following compensating controls:
HARDENINGReview network diagrams and access control lists to ensure affected controllers are not reachable from VLAN segments containing corporate IT systems, guest networks, or internet-connected devices.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3fc6de5f-a5b5-452c-ad0f-3d3ddd924a0a