OTPulse

Phoenix Contact: Automation Worx and classic line controllers prone to Incorrect Permission Assignment for Critical Resource

Plan PatchCVSS 9.8VDE-2023-055Dec 12, 2023
Phoenix ContactManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Phoenix Contact classic line industrial controllers lack code integrity and authenticity verification for application logic files. Logic files generated by Automation Worx can be modified on engineering workstations or intercepted during transmission and loaded into the PLC without tamper detection. Malicious code can be crafted to remain hidden while modifying process setpoints or disabling interlocks. No firmware patches are available. The controllers are designed for closed industrial networks and must be protected by multi-level security controls including firewalls, network segmentation, VPN for remote access, and restricted access to engineering tools.

What this means
What could happen
An attacker with access to an engineering workstation or the network could modify PLC logic programs without detection, allowing them to alter process setpoints, disable safety interlocks, or stop critical operations while hiding the tampering from operators and logs.
Who's at risk
Manufacturing facilities operating Phoenix Contact classic line controllers (AXC, ILC, RFC series) and engineering workstations running Automation Worx, Config+, or PC Worx software. This affects any plant using these controllers for process automation, motor control, or safety logic in networked environments.
How it could be exploited
An attacker who gains access to an engineering station running Automation Worx or who can intercept unencrypted communications between the station and controller can modify logic files before they are loaded into the PLC. The controller lacks code integrity checks, so malicious code is accepted as legitimate. The modified logic can be designed to hide itself from operators, making the attack difficult to detect.
Prerequisites
  • Network or physical access to an engineering workstation running Automation Worx software
  • Ability to intercept or modify files in transit between engineering station and controller if not using VPN
  • Access to the engineering tools or project files on the workstation
no patch availableremotely exploitableaffects safety systemslow complexityhigh CVSS (9.8)
Exploitability
Unlikely to be exploited — EPSS score 0.8%
Affected products (18)
18 EOL
ProductAffected VersionsFix Status
AXC 1050All versionsNo fix (EOL)
AXC 3050All versionsNo fix (EOL)
FC 350 PCI ETHAll versionsNo fix (EOL)
ILC1x0All versionsNo fix (EOL)
ILC1x1All versionsNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/5
HARDENINGImplement network segmentation using firewalls to isolate OT zones from untrusted networks and the internet
HARDENINGRequire VPN encryption for all remote connections from engineering workstations to controllers
HARDENINGRestrict physical and network access to engineering workstations running Automation Worx to authorized personnel only
HARDENINGStore all project data and logic files in protected, access-controlled environments with audit logging
HARDENINGAvoid transmitting project data via email or unencrypted file sharing; use encrypted, authenticated channels only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable OT communication protocols on controllers that cannot be placed in protected network zones (via CPU services, console, or web-based management)
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: AXC 1050, AXC 3050, FC 350 PCI ETH, ILC1x0, ILC1x1, ILC 3xx, RFC 430 ETH-IB, RFC 450 ETH-IB, RFC 460R PN 3TX, RFC 480S PN 4TX, Automation Worx Software Suite, Config+, PC Worx, AXC 1050 XC, RFC 470S PN 3TX, PC Worx Express, PC WORX RT BASIC, PC WORX SRT. Apply the following compensating controls:
HARDENINGEstablish a change management process that includes independent verification of logic file changes before deployment
View full CERT@VDE advisory
API: /api/v1/advisories/54ab0ff7-b283-499b-b001-378d671b2e6c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Phoenix Contact: Automation Worx and classic line controllers prone to Incorrect Permission Assignment for Critical Resource | CVSS 9.8 - OTPulse