Incorrect Permission Assignment for Critical Resource vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to upload arbitrary malicious code and gain full access on the affected device.
The vulnerability stems from improper permission assignment to critical system resources (CWE-732). An attacker without any authentication can remotely upload arbitrary malicious code to the vulnerable device over the network. The absence of user interaction requirements and low attack complexity make this vulnerability particularly easy to exploit.
The attacker gains full access to the device, enabling arbitrary code execution, system control takeover, and potential disruption of industrial processes. This results in complete loss of confidentiality, integrity, and availability of device resources.
Apply patches available from the manufacturer according to references (https://cert.vde.com/en/advisories/VDE-2023-051/). Until updates are deployed, it is recommended to isolate devices from the network, restrict network access using firewalls, and implement the principle of least privilege in network infrastructure.
PHOENIX CONTACT MULTIPROG and PHOENIX CONTACT ProConOS eCLR (SDK) — specific versions indicated in manufacturer references (cert.vde.com, VDE-2023-051)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPhoenixcontact Multiprog
APPPhoenixcontactwszystkie wersjePhoenixcontact Proconos Eclr
APPPhoenixcontactwszystkie wersje
Related vulnerabilities
An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCL...
Download of Code Without Integrity Check vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS ...
RCE jako root w sterownikach ładowania Phoenix Contact CHARX SEC-3x00
RCE i eskalacja uprawnień w Phoenix Contact CHARX SEC — brak walidacji danych wejściowych
Phoenix Contact: nieuprawniony zdalny dostęp do urządzeń linii klasycznej