CVE-2023-1109
📋 TL;DR
CVE-2023-1109 is a path traversal vulnerability in Phoenix Contacts ENERGY AXC PU Web service that allows authenticated users to read, write, and create arbitrary files on the system through specially crafted URLs. This affects all organizations using vulnerable versions of the ENERGY AXC PU Web service, potentially giving attackers full control of the service.
💻 Affected Systems
- Phoenix Contacts ENERGY AXC PU Web service
📦 What is this software?
Energy Axc Pu by Phoenixcontact
Infobox Firmware by Phoenixcontact
Smartrtu Axc Ig Firmware by Phoenixcontact
Smartrtu Axc Sg Firmware by Phoenixcontact
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal sensitive data, disrupt operations, or pivot to other network systems.
Likely Case
Unauthorized file access leading to configuration theft, credential harvesting, or service disruption through file manipulation.
If Mitigated
Limited impact if proper network segmentation, strict authentication, and file system permissions are in place.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via crafted URLs in upload/download functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.0.4
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2023-003/
Restart Required: Yes
Instructions:
1. Download version 1.0.4 from Phoenix Contacts support portal. 2. Backup current configuration. 3. Apply the update following vendor instructions. 4. Restart the service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate the ENERGY AXC PU Web service from critical networks and restrict access to authorized IPs only.
Access Control Hardening
allImplement strict authentication policies, limit user permissions, and monitor for suspicious file operations.
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can communicate with the vulnerable service.
- Enable detailed logging of all file operations and monitor for unusual upload/download patterns.
🔍 How to Verify
Check if Vulnerable:
Check web service version via admin interface or system information page. If version is below 1.0.4, the system is vulnerable.Check Version:
Check via web interface at /system/info or similar endpoint, or consult device documentation for CLI commands.Verify Fix Applied:
After patching, verify version shows 1.0.4 or higher and test that path traversal attempts are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file paths in upload/download requests
- Multiple failed authentication attempts followed by successful login and file operations
- Requests containing '../' or similar path traversal sequences
Network Indicators:
- Unusual outbound connections from the device
- Large file transfers to/from unexpected locations
- HTTP requests with crafted file paths
SIEM Query:
source="energy_axc_pu_logs" AND (url="*../*" OR url="*..\\*" OR file_operation="unusual")