PHOENIX CONTACT: Niche Ethernet Stack for ILC1x0, ILC1x1 and AXC 1050 Industrial controllers and CHARX control DC

Plan PatchCVSS 9.1VDE-2021-032Aug 4, 2021

Phoenix ContactManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Phoenix Contact Classic Line industrial controllers (ILC1x0, ILC1x1, AXC 1050, EV-PLCC-AC1-DC1) contain vulnerabilities in the third-party Niche Ethernet stack that can be exploited by remote attackers to cause denial of service or breach data integrity. The controllers lack authentication mechanisms in their communication protocols by design. Attackers can send specially crafted IP packets to trigger crashes or alter device data, potentially disrupting production. No firmware updates are available for any affected product version.

What this means

What could happen

Remote attackers can send malformed network packets to cause the PLC to stop responding (denial of service) or alter data integrity, potentially disrupting production processes. Since these controllers lack authentication, any attacker on the network can exploit this vulnerability.

Who's at risk

Manufacturing facilities and utilities using Phoenix Contact Classic Line controllers (ILC1x0, ILC1x1 series and AXC 1050) for critical process control, logic operations, or distributed I/O applications. Any organization with these PLCs on networks that are not fully isolated should be concerned, as the vulnerability requires no credentials and can be triggered from any network-adjacent attacker.

How it could be exploited

An attacker on the same network (or with routed access to the network) sends specially crafted IP packets to the Ethernet interface of the affected PLC. The Niche Ethernet stack processes these packets without authentication or validation, resulting in a crash or data corruption. No credentials or special configuration are required.

Prerequisites

Network access to the affected PLC on the same subnet or routable network segment
No credentials required; vulnerability is unauthenticated

remotely exploitableno authentication requiredlow complexityno patch availableaffects industrial controllers (may impact production)

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

AXC 1050All versionsNo fix (EOL)

EV-PLCC-AC1-DC1All versionsNo fix (EOL)

ILC1x0All versionsNo fix (EOL)

ILC1x1All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

AXC 1050

HARDENINGIsolate affected Phoenix Contact controllers (ILC1x0, ILC1x1, AXC 1050, EV-PLCC-AC1-DC1) to a closed, air-gapped network or VLAN with no external connectivity

All products

WORKAROUNDDeploy a firewall between affected controllers and any untrusted network segments; implement strict ingress/egress filtering to allow only necessary industrial protocols

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDIf network connectivity is required, deploy Phoenix Contact mGuard network segmentation appliances to control and monitor traffic to vulnerable devices

HARDENINGDocument the network topology and connectivity of all affected devices to ensure no unintended exposure to untrusted networks

CVEs (6)

CVE-2020-35685 CVE-2021-31401 CVE-2021-31400 CVE-2020-35684 CVE-2020-35683 CVE-2021-31227

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/33380de0-b146-49a2-9680-bf9fa3f8e2ad

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.