Phoenix Contact: Multiple Vulnerabilities in PLCnext Engineer

Plan Patch7.5VDE-2024-067Oct 8, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Vulnerabilities in the .NET and OPC UA libraries used by PLCnext Engineer (System.Text.Json, System.Formats.Asn1, OPCFoundation.NetStandard.Opc.Ua.Core) allow remote attackers to trigger a denial-of-service condition. An attacker can send malformed JSON, ASN.1, or OPC UA data that causes improper input validation, leading to resource exhaustion or crashes in the engineering tool.

What this means

What could happen

An attacker on your network could send specially crafted messages to PLCnext Engineer, causing the software to stop responding or crash, disrupting your ability to configure and manage PLCs until the service is restarted.

Who's at risk

Manufacturing facilities and utilities using Phoenix Contact PLCnext Engineer for PLC configuration and programming. The engineering environment is the primary target, but disruption prevents normal PLC configuration, commissioning, and maintenance activities.

How it could be exploited

An attacker sends malformed JSON, ASN.1, or OPC UA data packets to the PLCnext Engineer service over the network. The vulnerable .NET libraries fail to properly validate the input, consuming excessive resources or triggering an unhandled exception, causing the engineering tool to become unresponsive.

Prerequisites

Network reachability to PLCnext Engineer service port (typically 5000-5009)
No credentials required

remotely exploitableno authentication requiredlow complexityaffects engineering/control workflow

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

PLCnext Engineer <2024.0.4 LTS<2024.0.4 LTS2024.0.4 LTS or later

PLCnext Engineer <2024.6<2024.62024.0.4 LTS or later

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to PLCnext Engineer service ports (5000-5009) to only authorized engineering workstations and administrative networks using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PLCnext Engineer to version 2024.0.4 LTS or 2024.6 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate the engineering/programming network from operational networks and the internet

CVEs (3)

CVE-2024-30105 CVE-2024-33862 CVE-2024-38095

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d2bf7e1a-f6d4-4cc2-85e8-67e53a588dad