Security Experts:

Connect with us

Hi, what are you looking for?



Many Phoenix Contact PLCs Still Vulnerable Months After Researcher Issues Warning

Several months after a researcher issued a warning about over 1,200 Phoenix Contact programmable logic controllers (PLCs) being exposed to remote attacks from the internet, many organizations still haven’t taken any measures to secure their systems.

Several months after a researcher issued a warning about over 1,200 Phoenix Contact programmable logic controllers (PLCs) being exposed to remote attacks from the internet, many organizations still haven’t taken any measures to secure their systems.

In a blog post published on Medium in early February, cybersecurity researcher Sergiu Sechel warned that two types of Phoenix Contact PLCs that should normally be deployed only on closed networks were easily accessible from the internet. The PC Worx communication protocol used by these products for management and configuration does not include any authentication mechanisms.

The configuration interface of some Phoenix Contact ILC and AXC controllers can be accessed remotely without any authentication over TCP port 1962. This configuration interface can be used to obtain information about the device, change its IP address and other settings, start or stop the PLC, create a backup for its entire configuration, update or modify the firmware, and enable or disable firmware services.

Phoenix Contact PLC interface

In a simple attack, malicious actors could gain access to the admin interface and turn off the device, Sechel told SecurityWeek.

“A complex attack would require the update of a modified firmware on the device that would enable the attacker to execute arbitrary commands on the controller,” the researcher explained. “This would require the purchase of a ILC controller and the software to reverse engineer or modify the firmware. By abusing the create backup feature an attacker can obtain knowledge on what type of infrastructure is managed by the ILC controller.”

The vulnerability, tracked as CVE-2019-9201 and classified as “critical” with a CVSS score of 9.8, impacts ILC1x0 and ILC1x1 controllers, and AXIOLINE AXC1050 and AXC3050 controllers.

The ILC devices are inline controllers often used to transmit information over long distances, including by utilities, power plants and manufacturing facilities. The AXC modular controllers are designed for the Axioline I/O system and they provide performance and easy handling in harsh industrial environments.

Learn More About Flaws in Industrial Products at SecurityWeek’s 2019 ICS Cyber Security Conference

When he publicly disclosed his findings in February, Sechel reported that a Shodan search had identified over 1,200 exposed ILC controllers, mainly in Italy, Germany, the Netherlands, Turkey and Spain. A search for AXC 1050 devices revealed 66 instances. The same Shodan searches conducted now show that there are still roughly 1,000 ILC and 50 AXC controllers that can be accessed directly from the web.

While the researcher disclosed his findings several months ago, the Germany-based industrial automation solutions provider Phoenix Contact and Germany’s VDE CERT agency only released an advisory roughly one week ago, in late June. Sechel, who has Global Industrial Cyber Security Professional (GICSP) certification, reported the vulnerability through MITRE.

The researcher told SecurityWeek that all the devices visible on Shodan should be considered vulnerable to hacker attacks from the internet.Phoenix Contact PLC

Moreover, the expert has warned that the actual number of vulnerable devices is likely higher as he says Shodan does not have full visibility into the IPv4 address space. Scans conducted using NMAP can reveal additional vulnerable systems.

“There are different subnets that block Shodan scans,” Sechel noted. “In a specific assessment, one can try to detect if an organization has ILC/AXC controllers by issuing NMAP scans, even if there are no search results on Shodan. For example, if we are assessing the security of a critical infrastructure provider we will use NMAP (where possible and if permitted — ICS devices are very delicate) to try to detect different ICS which for example are not visible from the internet.”

Phoenix Contact has told customers that the impacted devices are designed for use only in closed networks or they should be protected with firewalls.

“If the use of an affected controller in an unprotected open network cannot be avoided, the affected communication protocols should be disabled by using the CPU services via console,” Phoenix said in its advisory, which has also been published by VDE CERT.

Sechel pointed out that one of the simplest and most effective mitigations for this vulnerability would be to use a VPN to ensure that only authorized users are able to access the PLCs remotely. However, in reality, that only limits the risk to internal attackers, which could still compromise the devices.

Related: Flaws Expose Phoenix Contact Industrial Switches to Attacks

Related: Flaws in Phoenix Contact Automationworx Allow Code Execution via Malicious Files

Related: Serious Flaws Found in Phoenix Contact Industrial Switches

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.