PHOENIX CONTACT: DoS for PLCnext Control devices in versions <2021.0.5 LTS

Plan PatchCVSS 7.5VDE-2021-029Aug 4, 2021

Phoenix ContactManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in Phoenix Contact PLCnext Control devices. An attacker on the same network can send a specially crafted JSON request to the /auth/access-token endpoint, causing improper input validation (CWE-20) that crashes the device and forces an unplanned restart. Affected products include AXC F 1152, AXC F 2152, AXC F 2152 Starterkit, AXC F 3152, RFC 4072S, and PLCnext Technology Starterkit in all versions before 2021.0.5 LTS. The vulnerability has been updated to CVSS 9.1 reflecting its network-based exploitability and impact on device availability.

What this means

What could happen

An attacker on the same network can send a malformed JSON request to the controller's authentication endpoint, causing it to restart and halt process operations until manually restarted.

Who's at risk

Manufacturing facilities using Phoenix Contact PLCnext controllers (AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, and their Starterkits) in versions before 2021.0.5 LTS should prioritize remediation. This affects any automated process, assembly line, or control application relying on these devices for continuous operation.

How it could be exploited

An attacker on the local network sends a specially crafted JSON request to the /auth/access-token endpoint of the PLCnext controller. The device fails to properly validate the request (CWE-20), processes it unsafely, and crashes, triggering an unplanned restart.

Prerequisites

Network access to the controller's Ethernet port or shared network segment
Knowledge of the /auth/access-token endpoint

remotely exploitableno authentication requiredlow complexityhigh CVSS score (7.5–9.1)affects critical process control

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

AXC F 1152<2021.0.5 LTS2021.0.5 LTS

AXC F 2152<2021.0.5 LTS2021.0.5 LTS

AXC F 2152 Starterkit<2021.0.5 LTS2021.0.5 LTS

AXC F 3152<2021.0.5 LTS2021.0.5 LTS

PLCnext Technology Starterkit<2021.0.5 LTS2021.0.5 LTS

RFC 4072S<2021.0.5 LTS2021.0.5 LTS

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to PLCnext controllers using a firewall; allow only engineering workstations and authorized control systems to communicate with the device

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

RFC 4072S

HOTFIXUpdate all affected AXC F and RFC 4072S devices to firmware version 2021.0.5 LTS or later

Long-term hardening

0/1

HARDENINGDeploy controllers on a segregated OT network segment separate from general corporate IT networks

CVEs (1)

CVE-2021-34570

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/04433834-a87c-4315-b7b6-2309c77c8b38

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.