CRITICAL🇵🇱 Wersja polska

CVE-2023-0757

CVSS 9.8v3.1pub. 2023-12-14upd. 2024-11-21

Incorrect Permission Assignment for Critical Resource vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to upload arbitrary malicious code and gain full access on the affected device.

🤖 AI Analysis
How it works

The vulnerability stems from improper permission assignment to critical system resources (CWE-732). An attacker without any authentication can remotely upload arbitrary malicious code to the vulnerable device over the network. The absence of user interaction requirements and low attack complexity make this vulnerability particularly easy to exploit.

Impact

The attacker gains full access to the device, enabling arbitrary code execution, system control takeover, and potential disruption of industrial processes. This results in complete loss of confidentiality, integrity, and availability of device resources.

Mitigation & patch

Apply patches available from the manufacturer according to references (https://cert.vde.com/en/advisories/VDE-2023-051/). Until updates are deployed, it is recommended to isolate devices from the network, restrict network access using firewalls, and implement the principle of least privilege in network infrastructure.

Who is affected

PHOENIX CONTACT MULTIPROG and PHOENIX CONTACT ProConOS eCLR (SDK) — specific versions indicated in manufacturer references (cert.vde.com, VDE-2023-051)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Phoenixcontact Multiprog

    APP
    Phoenixcontact
    wszystkie wersje
  • Phoenixcontact Proconos Eclr

    APP
    Phoenixcontact
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2022-31801CRITICAL9.8ten sam produkt

An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCL...

CVE-2023-5592HIGH7.5ten sam produkt

Download of Code Without Integrity Check vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS ...

CVE-2025-25270CRITICAL9.8PL ✓ten sam vendor

RCE jako root w sterownikach ładowania Phoenix Contact CHARX SEC-3x00

CVE-2024-25995CRITICAL9.8PL ✓ten sam vendor

RCE i eskalacja uprawnień w Phoenix Contact CHARX SEC — brak walidacji danych wejściowych

CVE-2023-46141CRITICAL9.8PL ✓ten sam vendor

Phoenix Contact: nieuprawniony zdalny dostęp do urządzeń linii klasycznej