CVE-2023-46143
📋 TL;DR
CVE-2023-46143 is a critical vulnerability in PHOENIX CONTACT classic line PLCs that allows unauthenticated remote attackers to download and modify applications on affected programmable logic controllers. This affects industrial control systems using these specific PLCs, potentially compromising manufacturing, infrastructure, and other operational technology environments.
💻 Affected Systems
- PHOENIX CONTACT classic line PLCs
📦 What is this software?
Automationworx Software Suite by Phoenixcontact
Axc 1050 Firmware by Phoenixcontact
Axc 1050 Xc Firmware by Phoenixcontact
Axc 3050 Firmware by Phoenixcontact
Config\+ by Phoenixcontact
Fc 350 Pci Eth Firmware by Phoenixcontact
Ilc 3xx Firmware by Phoenixcontact
Ilc1x0 Firmware by Phoenixcontact
Ilc1x1 Firmware by Phoenixcontact
Pc Worx by Phoenixcontact
Pc Worx Express by Phoenixcontact
Pc Worx Rt Basic Firmware by Phoenixcontact
Pc Worx Srt by Phoenixcontact
Rfc 430 Eth Ib Firmware by Phoenixcontact
Rfc 450 Eth Ib Firmware by Phoenixcontact
Rfc 460r Pn 3tx Firmware by Phoenixcontact
Rfc 470s Pn 3tx Firmware by Phoenixcontact
Rfc 480s Pn 4tx Firmware by Phoenixcontact
⚠️ Risk & Real-World Impact
Worst Case
Complete takeover of industrial processes, physical damage to equipment, production shutdowns, safety system compromise leading to potential injuries or environmental harm.
Likely Case
Unauthorized modification of PLC logic causing production disruptions, quality issues, or operational anomalies without physical damage.
If Mitigated
Limited impact due to network segmentation and access controls preventing external attackers from reaching PLCs.
🎯 Exploit Status
Vulnerability allows direct code download/modification without authentication; exploitation appears straightforward based on advisory description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific firmware versions
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2023-057/
Restart Required: Yes
Instructions:
1. Download latest firmware from PHOENIX CONTACT support portal. 2. Backup current PLC configuration. 3. Upload new firmware using PC Worx engineering software. 4. Restore configuration. 5. Verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLCs from untrusted networks using firewalls and VLANs
Access Control Lists
allRestrict access to PLC programming ports (TCP 1962 typically) to authorized engineering stations only
🧯 If You Can't Patch
- Implement strict network segmentation with industrial firewalls
- Deploy intrusion detection systems monitoring for unauthorized PLC programming traffic
🔍 How to Verify
Check if Vulnerable:
Check PLC firmware version against vendor advisory; if using classic line PLCs with unpatched firmware, assume vulnerable.Check Version:
Use PC Worx engineering software to read PLC firmware versionVerify Fix Applied:
Verify firmware version matches or exceeds patched version listed in vendor advisory using PC Worx software.📡 Detection & Monitoring
Log Indicators:
- Unauthorized connection attempts to PLC programming port (TCP 1962)
- Unexpected firmware download or programming events in PLC logs
Network Indicators:
- Traffic to TCP port 1962 from unauthorized sources
- Unusual PLC programming traffic patterns
SIEM Query:
source_ip NOT IN (authorized_engineering_stations) AND dest_port=1962 AND protocol=TCP