PHOENIX CONTACT: Security Advisory for Automation Worx Software Suite

Monitor7VDE-2021-020Jun 23, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Manipulated PC Worx or Config+ bus configuration (.bcp) project files can lead to remote code execution when the file is opened on an engineering workstation. The vulnerability exists because data structures are incompletely initialized in memory (CWE-824). An attacker must intercept or gain access to a legitimate .bcp file, modify it, and replace the original file on the engineering workstation. When an engineer opens the manipulated file, the uninitialized memory is freed, triggering code execution. No patch is currently available for PC Worx (≤1.87), PC Worx Express (≤1.87), or Config+ (≤1.87). The vendor has stated that a future version will initialize all affected data completely to prevent this issue.

What this means

What could happen

An attacker who can replace a bus configuration file on an engineering workstation could trigger remote code execution when the file is opened, potentially allowing them to modify PLC programs or insert malicious logic into automation projects before they are deployed to field devices.

Who's at risk

Engineering teams using Phoenix Contact Automationworx Software Suite (PC Worx, PC Worx Express, or Config+) to design automation and control systems are affected. This includes utilities, manufacturers, and system integrators who develop, maintain, or modify PLC programs and bus configurations for industrial control systems.

How it could be exploited

The attacker must gain access to a .bcp (bus configuration) file used in PC Worx or Config+ projects—either by intercepting unencrypted file transfers or compromising file storage. The attacker modifies the file to trigger uninitialized memory access. When an engineer opens the manipulated project file on the workstation, the vulnerability is triggered, allowing code execution in the context of the engineering application.

Prerequisites

Access to a legitimate .bcp project file from the target organization
Ability to modify and replace the file on the engineering workstation or in transit
An engineer must open the manipulated file in PC Worx or Config+ (user interaction required)

No authentication required after file substitutionLow complexity attack (file replacement)No patch currently available for affected versionsRequires user interaction (opening a file)Could affect safety-critical automation projects

Affected products (3)

1 pending2 EOL

ProductAffected VersionsFix Status

Config + <=1.87≤ 1.87No fix yet

PC Worx <=1.87≤ 1.87No fix (EOL)

PC Worx Express <=1.87≤ 1.87No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDUse secure, encrypted file transfer services (e.g., SFTP, VPN-protected file sharing, digitally signed files) when exchanging .bcp project files with vendors, contractors, or other teams

HARDENINGNever exchange .bcp project files via unencrypted email

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGRestrict file access on engineering workstations: only authorized engineers should have write access to directories containing .bcp project files

HOTFIXUpgrade to the next version of Automationworx Software Suite when available to receive the complete data initialization fix

CVEs (1)

CVE-2021-33542

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8e95ad71-ca15-4c55-8e9b-665b01d673ac