PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware

Act Now9.8VDE-2023-001Feb 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Phoenix Contact PLCnext controllers contain multiple critical vulnerabilities in firmware versions before 2023.0.0 LTS, including buffer overflows (CWE-787, CWE-121), use-after-free flaws (CWE-416), path traversal (CWE-22), and weak cryptography (CWE-327, CWE-319) stemming from vulnerable open-source libraries. The Web-Based Management (WBM) interface is susceptible to cross-site scripting attacks, and the HMI is vulnerable to denial-of-service and memory leak attacks. The User Manager component has hardening gaps in the Trust and Identity Stores and improper password validation. Remote attackers can exploit these over the network without authentication to achieve remote code execution, cause denial of service, or extract sensitive data from the controller's memory.

What this means

What could happen

An attacker with network access to a PLCnext controller could exploit multiple vulnerabilities to gain remote code execution, allowing them to modify process logic, alter setpoints, or halt production. Additionally, attackers could trigger denial-of-service conditions that crash the controller or leak sensitive information from memory.

Who's at risk

Manufacturing facilities operating PLCnext automation controllers (AXC F series, BPC 9102S, RFC 4072 series) for industrial process control, motor drives, remote I/O, and networked automation logic should treat this as critical. Any facility with these devices exposed to untrusted networks is at immediate risk.

How it could be exploited

An attacker on the network or the internet (if the controller is exposed) could send specially crafted network packets or HTTP requests to the PLCnext device. These packets exploit buffer overflow, input validation, or cryptographic weaknesses in the firmware to execute arbitrary code or cause the system to crash. No authentication is required because the vulnerabilities exist in network-facing services that process unauthenticated input.

Prerequisites

Network access to the PLCnext controller (Ethernet port 80/443 or other exposed services)
No valid credentials required for exploitation of network-facing services
Device must be running affected firmware versions before 2023.0.0 LTS

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects production control systemsmultiple memory safety and injection vulnerabilitiesaffects open-source library dependencies used by critical ICS platforms

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

AXC F 1152<2023.0.0 LTS2023.0.0 LTS

AXC F 2152<2023.0.0 LTS2023.0.0 LTS

AXC F 3152<2023.0.0 LTS2023.0.0 LTS

BPC 9102S<2023.0.0 LTS2023.0.0 LTS

RFC 4072R<2023.0.0 LTS2023.0.0 LTS

RFC 4072S<2023.0.0 LTS2023.0.0 LTS

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to PLCnext controllers using a firewall; allow only trusted engineering workstations and SCADA systems to communicate with the device

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

AXC F 1152

HOTFIXUpdate all affected PLCnext controllers (AXC F 1152, AXC F 2152, AXC F 3152, BPC 9102S, RFC 4072R, RFC 4072S) to firmware version 2023.0.0 LTS or later

All products

HOTFIXUpdate PLCnext Engineer software on all engineering workstations to the latest version

Long-term hardening

0/1

HARDENINGPlace PLCnext controllers on a closed, isolated network segment separate from the internet and untrusted networks

CVEs (64)

CVE-2022-30065 CVE-2022-40674 CVE-2022-35252 CVE-2022-43680 CVE-2022-42916 CVE-2022-1664 CVE-2022-1304 CVE-2022-29187 CVE-2022-39260 CVE-2022-39253 CVE-2022-42915 CVE-2022-2509 CVE-2021-46828 CVE-2022-40304 CVE-2022-1015 CVE-2022-1016 CVE-2022-1348 CVE-2022-2097 CVE-2022-42919 CVE-2002-20001 CVE-2022-40617 CVE-2022-43995 CVE-2022-2522 CVE-2022-2571 CVE-2022-2580 CVE-2022-2581 CVE-2022-2598 CVE-2022-3234 CVE-2022-3235 CVE-2022-32207 CVE-2022-3256 CVE-2022-32206 CVE-2022-3278 CVE-2022-32208 CVE-2022-3296 CVE-2022-32205 CVE-2022-3297 CVE-2022-3324 CVE-2022-3352 CVE-2022-3705 CVE-2022-37434 CVE-2022-1927 CVE-2022-1942 CVE-2022-2129 CVE-2022-2175 CVE-2022-2182 CVE-2022-2183 CVE-2022-2343 CVE-2022-2207 CVE-2022-2210 CVE-2022-2344 CVE-2022-2304 CVE-2022-2345 CVE-2022-2208 CVE-2022-2231 CVE-2022-2287 CVE-2022-2285 CVE-2022-2284 CVE-2022-2286 CVE-2022-2289 CVE-2022-2288 CVE-2022-2264 CVE-2022-2206 CVE-2022-2257

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ed3a28a6-3c68-4b34-b723-8fdd42e2a979