Phoenix Contact: PLCnext prone to Incorrect Permission Assignment for Critical Resource
Plan Patch8.8VDE-2023-056Dec 12, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
PLCnext Control devices contain a permission assignment flaw (CWE-732) in their application integrity verification. An authenticated attacker with access to engineering tools, stored applications, or the PLC itself could craft a specially modified application file in a way that bypasses the integrity check. This would allow undetected tampering with PLC logic, configurations, and executable code. The vulnerability is difficult to detect once exploited because the integrity verification mechanism is circumvented. Affected devices include AXC F 1152/2152/3152, BPC 9102S, EPC 1502/1522, RFC 4072R/S, and PLCnext Engineer software (all versions through 2024.0).
What this means
What could happen
An authenticated attacker with access to PLCnext Engineer, stored applications, or the PLC itself could bypass integrity checks and modify PLC logic, configurations, or executable code. These tampering attempts would go undetected, potentially allowing persistent changes to process setpoints, logic behavior, or control functions that are difficult to remove.
Who's at risk
Manufacturing facilities using Phoenix Contact PLCnext Control systems for process automation, including companies running AXC F series industrial computers, BPC gateways, EPC edge controllers, and RFC wireless modules. Any organization with PLCnext Engineer used for PLC programming and configuration is affected.
How it could be exploited
An attacker with engineering workstation credentials, or physical/network access to the PLC's application storage, could craft a specially modified application file that defeats the built-in integrity verification. When this modified application is loaded onto the PLC or edited via PLCnext Engineer, the tampering remains hidden, allowing the attacker to inject malicious logic into your process control.
Prerequisites
- Valid PLCnext Engineer credentials or engineering workstation access
- Access to the stored application file (on engineering station, during download, or in PLC storage)
- Understanding of PLCnext application structure to craft tampering that bypasses integrity checks
Requires valid engineering credentials (not unauthenticated)Requires network or physical access to PLC or engineering workstationDifficult to detect tampering once exploit succeedsAffects critical process logic and control logicBypass of integrity verification mechanism
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
AXC F 1152≤ 2024.02023.0.7 LTS
AXC F 2152≤ 2024.02023.0.7 LTS
AXC F 3152≤ 2024.02023.0.7 LTS
BPC 9102S≤ 2024.02023.0.7 LTS
EPC 1502≤ 2024.02023.0.7 LTS
EPC 1522≤ 2024.02023.0.7 LTS
PLCnext Engineer≤ 2024.02023.0.7 LTS
RFC 4072R≤ 2024.02023.0.7 LTS
Remediation & Mitigation
0/7
Do now
0/3WORKAROUNDRestrict network access to PLCnext devices to only authorized engineering workstations using firewall rules
HARDENINGRequire VPN for all remote connections between engineering workstations and PLCnext Control devices
HARDENINGProhibit sharing PLCnext project files via email or unencrypted file transfer; use secure methods with integrity verification
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
BPC 9102S
HOTFIXUpdate all affected PLCnext devices (AXC F series, BPC 9102S, EPC 1502/1522, RFC 4072R/S) to firmware version 2023.0.7 LTS or later
PLCnext Engineer
HOTFIXUpdate PLCnext Engineer to version 2023.0.7 LTS or later on all engineering workstations
Long-term hardening
0/2PLCnext Engineer
HARDENINGEstablish a protected isolated network segment for PLCnext Engineer and engineering communications, separate from production IT networks
All products
HARDENINGImplement physical and logical access controls to limit who can access engineering workstations and PLC application storage
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1b5a65a4-048d-4d51-a251-3eb01cea7225