PHOENIX CONTACT: PC Worx/-Express prone to improper input validation vulnerability
Monitor7.8VDE-2021-052Nov 3, 2021
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
PC Worx and PC Worx Express (up to version 1.88) contain a path traversal vulnerability ('zip slip') when loading project files. The application does not properly validate file paths during archive extraction, allowing an attacker to write arbitrary files outside the intended project directory. A future version of Automation Worx Software Suite will include additional validation checks to address this issue.
What this means
What could happen
An attacker who crafts a malicious project file and tricks an engineer into opening it in PC Worx could write files anywhere on the engineering workstation, potentially overwriting critical files or inserting malware that persists across system reboots.
Who's at risk
This affects any water utility, electric utility, or other industrial facility that uses Phoenix Contact's PC Worx or PC Worx Express software for engineering and maintenance of automation systems. Impact is limited to engineering workstations where project files are edited and loaded; production PLCs and field devices are not directly affected unless malware is injected into a project that is then downloaded to those devices.
How it could be exploited
An attacker creates a specially crafted project file (ZIP archive) that exploits improper path validation when extracting files. When an engineer opens this file in PC Worx or PC Worx Express, the application extracts the archive contents without properly validating paths, allowing relative paths or directory traversal sequences (e.g., "../../../") to write files outside the intended project directory. The attacker delivers this file via email, file share, or social engineering.
Prerequisites
- User interaction: An engineer must open the malicious project file in PC Worx or PC Worx Express
- Local file system write access: The attacker's payload is written with the privileges of the user running PC Worx
- Ability to deliver the crafted project file to the target (email, cloud storage, etc.)
No patch availableUser interaction required (reduces risk but social engineering remains viable)Local file write capability could enable privilege escalation or malware persistence
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
PHOENIX CONTACT PC Worx≤ 1.88No fix (EOL)
PHOENIX CONTACT PC Worx Express≤ 1.88No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDUse secure file exchange services (SFTP, VPN, encrypted file sharing) for all project file transfers instead of unencrypted email
WORKAROUNDVerify project file integrity using checksums before opening files received from external sources
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGRestrict project file access to trusted sources and establish a file review process before opening unfamiliar project files on engineering workstations
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: PHOENIX CONTACT PC Worx, PHOENIX CONTACT PC Worx Express. Apply the following compensating controls:
HARDENINGRun PC Worx under a least-privilege user account that does not have write access to critical system directories
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f8c61a32-78a4-4379-a47a-9744b403db19