Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

Act NowCVSS 9VDE-2024-071Dec 9, 2024

Phoenix ContactManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple Linux kernel vulnerabilities exist in PLCnext Firmware affecting several controller models. The vulnerabilities include use-after-free (CWE-416), race conditions (CWE-362, CWE-367), and symlink/path traversal issues (CWE-59, CWE-606, CWE-1325). These allow remote code execution without authentication on affected controllers running firmware versions prior to 2024.0.6 LTS. Phoenix Contact has issued firmware 2024.0.6 LTS with fixes for AXC F, RFC, and BPC series controllers; however, EPC 1502 and EPC 1522 will not receive patches.

What this means

What could happen

An attacker with network access could exploit multiple Linux vulnerabilities in PLCnext controllers to gain unauthorized code execution on the PLC, potentially altering control logic, modifying setpoints, or halting production processes in manufacturing facilities.

Who's at risk

Manufacturing facilities using Phoenix Contact PLCnext controllers (AXC F series, RFC 4072 series, BPC 9102S, EPC series) for production automation, machine control, or process management. The vulnerability affects six product models with available patches and two end-of-life models without patches.

How it could be exploited

An attacker on the network could target unpatched PLCnext controllers (AXC F, RFC, BPC, EPC models) running firmware older than 2024.0.6 LTS. By exploiting use-after-free, race conditions, or symlink/path traversal flaws in the Linux kernel components, the attacker could execute arbitrary code with controller privileges, gaining direct control over automation logic and connected equipment.

Prerequisites

Network reachability to the PLCnext controller
Controller running firmware version earlier than 2024.0.6 LTS
No additional authentication required for exploitation

remotely exploitableno authentication requiredhigh EPSS score (80.4%)no patch available for EPC 1502 and EPC 1522affects industrial control PLCsmultiple underlying vulnerabilities (use-after-free, race conditions, path traversal)

Exploitability

Likely to be exploited — EPSS score 79.6%

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (8)

6 with fix2 EOL

ProductAffected VersionsFix Status

AXC F 1152<2024.0.6 LTS2024.0.6 LTS

AXC F 2152<2024.0.6 LTS2024.0.6 LTS

AXC F 3152<2024.0.6 LTS2024.0.6 LTS

RFC 4072S<2024.0.6 LTS2024.0.6 LTS

BPC 9102S<2024.0.6 LTS2024.0.6 LTS

RFC 4072R<2024.0.6 LTS2024.0.6 LTS

EPC 1522<2024.0.6 LTSNo fix (EOL)

EPC 1502<2024.0.6 LTSNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

EPC 1522

HARDENINGFor EPC 1522 and EPC 1502 controllers (no patch available), restrict network access to these devices using firewall rules to allow only trusted engineering workstations and control networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

AXC F 1152

HOTFIXUpdate AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, BPC 9102S, and RFC 4072R controllers to firmware version 2024.0.6 LTS or later

All products

HOTFIXUpdate PLCnext Engineer software to the latest version on all engineering workstations

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: EPC 1522, EPC 1502. Apply the following compensating controls:

HARDENINGSegment PLCnext controllers onto a dedicated control network separate from general IT infrastructure to limit attack surface

CVEs (6)

CVE-2024-4741 CVE-2024-39894 CVE-2024-32002 CVE-2024-4603 CVE-2024-2511 CVE-2024-6387

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fe171957-f990-406c-98e5-8834ed5184d8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.