CVE-2023-46141
📋 TL;DR
This critical vulnerability allows remote unauthenticated attackers to gain full administrative access to affected PHOENIX CONTACT classic line devices by exploiting incorrect permission assignments. It affects multiple industrial control system products, potentially enabling complete device takeover. Organizations using these industrial automation devices are at risk.
💻 Affected Systems
- PHOENIX CONTACT classic line products (specific models not detailed in provided references)
📦 What is this software?
Automationworx Software Suite by Phoenixcontact
Axc 1050 Firmware by Phoenixcontact
Axc 1050 Xc Firmware by Phoenixcontact
Axc 3050 Firmware by Phoenixcontact
Config\+ by Phoenixcontact
Fc 350 Pci Eth Firmware by Phoenixcontact
Ilc 3xx Firmware by Phoenixcontact
Ilc1x0 Firmware by Phoenixcontact
Ilc1x1 Firmware by Phoenixcontact
Pc Worx by Phoenixcontact
Pc Worx Express by Phoenixcontact
Pc Worx Rt Basic Firmware by Phoenixcontact
Pc Worx Srt by Phoenixcontact
Rfc 430 Eth Ib Firmware by Phoenixcontact
Rfc 450 Eth Ib Firmware by Phoenixcontact
Rfc 460r Pn 3tx Firmware by Phoenixcontact
Rfc 470s Pn 3tx Firmware by Phoenixcontact
Rfc 480s Pn 4tx Firmware by Phoenixcontact
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems leading to operational disruption, safety hazards, data theft, or physical damage to industrial processes.
Likely Case
Unauthorized access to industrial networks, manipulation of control logic, data exfiltration, and potential ransomware deployment on critical infrastructure.
If Mitigated
Limited impact if devices are properly segmented, monitored, and have network access controls preventing external connections.
🎯 Exploit Status
Remote unauthenticated access with CVSS 9.8 suggests trivial exploitation; industrial control system vulnerabilities are frequently weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific fixed versions
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2023-055/
Restart Required: Yes
Instructions:
1. Review VDE advisory for affected products 2. Contact PHOENIX CONTACT for firmware updates 3. Apply vendor-provided patches 4. Restart affected devices 5. Verify patch application
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from untrusted networks and implement strict firewall rules
Access Control Lists
allImplement IP-based restrictions to limit device access to authorized management systems only
🧯 If You Can't Patch
- Segment affected devices in dedicated VLANs with strict firewall rules blocking all unnecessary ports
- Implement network monitoring and intrusion detection specifically for industrial control system traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check device model and firmware version against vendor advisory; devices in PHOENIX CONTACT classic line series are potentially affectedCheck Version:
Device-specific - typically through web interface or management software (check vendor documentation)Verify Fix Applied:
Verify firmware version matches or exceeds vendor's patched version; test access controls and permissions📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to device management interfaces
- Unexpected configuration changes
- New administrative accounts
Network Indicators:
- Unusual traffic to industrial control system ports (typically 80, 443, 502, 20000)
- External IP addresses accessing internal industrial devices
SIEM Query:
source_ip IN (external_ips) AND dest_port IN (80,443,502,20000) AND dest_ip IN (industrial_device_ips)