Phoenix Contact: PLCnext prone to Incorrect Permission Assignment for Critical Resource

Plan PatchCVSS 8.8VDE-2023-056Dec 12, 2023

Phoenix ContactManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

PLCnext Control devices contain a permission assignment flaw (CWE-732) in their application integrity verification. An authenticated attacker with access to engineering tools, stored applications, or the PLC itself could craft a specially modified application file in a way that bypasses the integrity check. This would allow undetected tampering with PLC logic, configurations, and executable code. The vulnerability is difficult to detect once exploited because the integrity verification mechanism is circumvented. Affected devices include AXC F 1152/2152/3152, BPC 9102S, EPC 1502/1522, RFC 4072R/S, and PLCnext Engineer software (all versions through 2024.0).

What this means

What could happen

An authenticated attacker with access to PLCnext Engineer, stored applications, or the PLC itself could bypass integrity checks and modify PLC logic, configurations, or executable code. These tampering attempts would go undetected, potentially allowing persistent changes to process setpoints, logic behavior, or control functions that are difficult to remove.

Who's at risk

Manufacturing facilities using Phoenix Contact PLCnext Control systems for process automation, including companies running AXC F series industrial computers, BPC gateways, EPC edge controllers, and RFC wireless modules. Any organization with PLCnext Engineer used for PLC programming and configuration is affected.

How it could be exploited

An attacker with engineering workstation credentials, or physical/network access to the PLC's application storage, could craft a specially modified application file that defeats the built-in integrity verification. When this modified application is loaded onto the PLC or edited via PLCnext Engineer, the tampering remains hidden, allowing the attacker to inject malicious logic into your process control.

Prerequisites

Valid PLCnext Engineer credentials or engineering workstation access
Access to the stored application file (on engineering station, during download, or in PLC storage)
Understanding of PLCnext application structure to craft tampering that bypasses integrity checks

Requires valid engineering credentials (not unauthenticated)Requires network or physical access to PLC or engineering workstationDifficult to detect tampering once exploit succeedsAffects critical process logic and control logicBypass of integrity verification mechanism

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

AXC F 1152≤ 2024.02023.0.7 LTS

AXC F 2152≤ 2024.02023.0.7 LTS

AXC F 3152≤ 2024.02023.0.7 LTS

BPC 9102S≤ 2024.02023.0.7 LTS

EPC 1502≤ 2024.02023.0.7 LTS

EPC 1522≤ 2024.02023.0.7 LTS

PLCnext Engineer≤ 2024.02023.0.7 LTS

RFC 4072R≤ 2024.02023.0.7 LTS

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDRestrict network access to PLCnext devices to only authorized engineering workstations using firewall rules

HARDENINGRequire VPN for all remote connections between engineering workstations and PLCnext Control devices

HARDENINGProhibit sharing PLCnext project files via email or unencrypted file transfer; use secure methods with integrity verification

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

BPC 9102S

HOTFIXUpdate all affected PLCnext devices (AXC F series, BPC 9102S, EPC 1502/1522, RFC 4072R/S) to firmware version 2023.0.7 LTS or later

PLCnext Engineer

HOTFIXUpdate PLCnext Engineer to version 2023.0.7 LTS or later on all engineering workstations

Long-term hardening

0/2

PLCnext Engineer

HARDENINGEstablish a protected isolated network segment for PLCnext Engineer and engineering communications, separate from production IT networks

All products

HARDENINGImplement physical and logical access controls to limit who can access engineering workstations and PLC application storage

CVEs (1)

CVE-2023-46142

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1b5a65a4-048d-4d51-a251-3eb01cea7225

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.