CVE-2022-31801

Insufficient Verification of Data Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool

CVSS 9.8 CRITICALEPSS 1.0%CWE-345

In short

An attacker can remotely upload harmful code to devices running ProConOS without needing a password, taking complete control of the device. This is critical because these devices often control important industrial systems.

Technical detail

The vulnerability allows unauthenticated remote code upload to ProConOS/eCLR-based devices due to insufficient data verification (CWE-345). An attacker can exploit this over the network to execute arbitrary logic and achieve full device compromise without prior authentication or authorization.

Summary generated and translated by AI from the official description.

An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

PHOENIX CONTACT · MULTIPROG PHOENIX CONTACT · ProConOS PHOENIX CONTACT · ProConOS eCLR

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cert.vde.com/en/advisories/VDE-2022-026/