CVE-2022-31800
Insufficient Verification of Data Vulnerability in PHOENIX CONTACT classic line industrial controllers
In short
An attacker from the internet can upload harmful code to certain industrial controllers without needing any password or authentication, taking complete control of the device.
Technical detail
CWE-345 insufficient data verification allows unauthenticated remote code upload on ProConOS/ProConOS eCLR devices; attacker can achieve arbitrary code execution and full device compromise via unvalidated firmware/logic upload mechanism.
Summary generated and translated by AI from the official description.
An unauthenticated, remote attacker could upload malicious logic to devices based on ProConOS/ProConOS eCLR in order to gain full control over the device.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
PHOENIX CONTACT · AXC 1050PHOENIX CONTACT · AXC 1050 XCPHOENIX CONTACT · AXC 3050PHOENIX CONTACT · FC 350 PCI ETHPHOENIX CONTACT · ILC 1x0PHOENIX CONTACT · ILC 1x1PHOENIX CONTACT · ILC 1x1 GSM/GPRSPHOENIX CONTACT · ILC 3xxPHOENIX CONTACT · PC WORX RT BASICPHOENIX CONTACT · PC WORX SRTPHOENIX CONTACT · RFC 430 ETH-IBPHOENIX CONTACT · RFC 450 ETH-IBPHOENIX CONTACT · RFC 460R PN 3TXPHOENIX CONTACT · RFC 460R PN 3TX-SPHOENIX CONTACT · RFC 470 PN 3TXPHOENIX CONTACT · RFC 470S PN 3TXPHOENIX CONTACT · RFC 480S PN 4TXWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →