Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware
Act NowCVSS 9.8VDE-2024-073Dec 9, 2024
Phoenix ContactManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Linux component vulnerabilities exist in Phoenix Contact PLCnext Firmware across AXC F, RFC, BPC, and EPC series controllers. These vulnerabilities allow remote code execution, unauthorized access to sensitive data, and denial of service attacks on affected devices. Vulnerabilities stem from buffer overflows, path traversal, improper input validation, and insecure cryptographic implementations within embedded Linux components. All affected products can be patched with latest firmware releases (2024.0.6 LTS for most models, 2024.0.3 LTS for EPC series).
What this means
What could happen
An attacker with network access to a vulnerable PLCnext controller could execute arbitrary code, steal sensitive data, or completely disrupt manufacturing operations by taking control of the industrial automation device.
Who's at risk
Manufacturing plants using Phoenix Contact PLCnext controllers (AXC F series, RFC, BPC, EPC models) for process automation, motion control, or safety-critical operations need immediate patching. This includes discrete manufacturing facilities, continuous process plants, and facilities using PLCnext as primary programmable logic controllers.
How it could be exploited
An attacker on the same network or with remote access to the PLCnext controller's Ethernet port could send malicious network packets or exploit multiple Linux component vulnerabilities to execute code with controller privileges. Once code execution is achieved, the attacker could modify process logic, disable safety interlocks, alter production parameters, or halt operations entirely.
Prerequisites
- Network access to the PLCnext controller Ethernet port (port 443 or other exposed services)
- No authentication required for exploitation
- Affected firmware version running on the device
Remotely exploitableNo authentication requiredLow complexityActively exploited (KEV)Critical CVSS 9.8EPSS score 94.4% (very likely to be exploited)Affects core automation platformMultiple critical vulnerabilities in single firmware
Exploitability
Actively exploited — confirmed by CISA KEV
Metasploit module available — weaponized exploitView module ↗
Public Proof-of-Concept (PoC) on GitHub (10 repositories)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
AXC F 1152<2024.0.6 LTS2024.0.6 LTS
AXC F 2152<2024.0.6 LTS2024.0.6 LTS
AXC F 3152<2024.0.6 LTS2024.0.6 LTS
RFC 4072S<2024.0.6 LTS2024.0.6 LTS
BPC 9102S<2024.0.6 LTS2024.0.6 LTS
RFC 4072R<2024.0.6 LTS2024.0.6 LTS
EPC 1502<2024.0.3 LTS2024.0.3 LTS
EPC 1522<2024.0.3 LTS2024.0.3 LTS
Remediation & Mitigation
0/5
Do now
0/3AXC F 1152
HOTFIXUpdate AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, RFC 4072R, and BPC 9102S controllers to firmware version 2024.0.6 LTS or later
EPC 1502
HOTFIXUpdate EPC 1502 and EPC 1522 controllers to firmware version 2024.0.3 LTS or later
All products
HARDENINGRestrict network access to PLCnext controllers by implementing firewall rules to limit connections from trusted engineering workstations and supervisory systems only
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGIsolate PLCnext controllers on a dedicated industrial control network segment separate from general IT networks and the Internet
HOTFIXUpdate PLCnext Engineer engineering software to the latest version on all workstations used to program or monitor controllers
CVEs (63)
CVE-2023-46219CVE-2023-38545CVE-2023-34969CVE-2022-42011CVE-2022-48554CVE-2023-32636CVE-2023-32611CVE-2023-32665CVE-2023-4911CVE-2024-0567CVE-2023-32731CVE-2023-4785CVE-2023-2603CVE-2023-6004CVE-2023-26552CVE-2023-26554CVE-2022-29900CVE-2023-48795CVE-2023-51385CVE-2023-5363CVE-2022-40897CVE-2023-4016CVE-2021-41072CVE-2023-5441CVE-2023-5535CVE-2023-4734CVE-2023-4733CVE-2023-4735CVE-2023-4738CVE-2023-4751CVE-2023-48237CVE-2023-46246CVE-2023-45853CVE-2023-47100CVE-2023-46218CVE-2023-4807CVE-2023-38039CVE-2023-38546CVE-2022-42010CVE-2022-42012CVE-2023-29499CVE-2023-32643CVE-2023-5156CVE-2024-0553CVE-2023-33953CVE-2023-32732CVE-2023-44487CVE-2023-26551CVE-2023-26553CVE-2023-26555CVE-2022-29901CVE-2023-51384CVE-2023-3817CVE-2023-40217CVE-2023-7104CVE-2023-42465CVE-2023-5344CVE-2023-4781CVE-2023-4736CVE-2023-4750CVE-2023-4752CVE-2023-48231CVE-2023-48706
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fe72774a-36a6-4130-8398-a3fd32251932Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.