Summary
Phoenix Contact Classic Line industrial controllers (ILC1x0 and ILC1x1 product families as well as the AXIOLINE controllers AXC1050 and AXC3050) are developed and designed for the use in closed industrial networks. The communication protocols used for device management and configuration do not feature authentication measures.
Update A, 2022-06-21
This updated version contains additional affected products.In addition, a new application note for classic line controllers had been published to make it easier for our customers to find out the actions how to disable the unauthorized communication ports instead of checking out each controller's manual.
Impact
If the above-mentioned controllers are used in an unprotected open network, an unauthorized attacker can change or download the device code/configuration, start or stop services, update or modify the firmware or shutdown the device.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 2700988 | AXC 1050 | Firmware vers:all/* |
| 2701295 | AXC 1050 XC | Firmware vers:all/* |
| 2700989 | AXC 3050 | Firmware vers:all/* |
| 2730844 | FC 350 PCI ETH | Firmware vers:all/* |
| 2700977 | ILC 1x1 GSM/GPRS | Firmware vers:all/* |
| ILC1x0 | Firmware vers:all/* | |
| ILC1x1 | Firmware vers:all/* | |
| 2700291 | PC WORX RT BASIC | Firmware vers:all/* |
| 2701680 | PC WORX SRT | Firmware vers:all/* |
| 2730190 | RFC 430 ETH-IB | Firmware vers:all/* |
| 2730200 | RFC 450 ETH-IB | Firmware vers:all/* |
| 2700784 | RFC 460R PN 3TX | Firmware vers:all/* |
| 1096407 | RFC 460R PN 3TX-S | Firmware vers:all/* |
| 2916600 | RFC 470 PN 3TX | Firmware vers:all/* |
| 2916794 | RFC 470S PN 3TX | Firmware vers:all/* |
| 2404577 | RFC 480S PN 4TX | Firmware vers:all/* |
Vulnerabilities
Expand / Collapse allMultiple Phoenix Contact devices allow remote attackers to establish TCP sessions to port 1962 and obtain sensitive information or make changes, as demonstrated by using the Create Backup feature to traverse all directories.
Mitigation
Customers using Phoenix Contact classic line controllers are recommended to operate the devices in closed networks or protected with a suitable firewall as intended.
For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note external link for classic line controllers.
If the use of an affected controller in protected zones is not suitable OT communication protocols should be disabled. Either by using the CPU services via console or Web-based Management according to the controller type. Information's for which controllers and from which firmware version communication protocols can be disabled are described in our application note for classic line controllers or the manual to the respective controller which is available for download at the Phoenix Contact website.
Controller supporting CPU services or WBM for disabling communication protocols:
| Article | Article Number | Minimum firmware version |
|---|---|---|
| ILC 1x0 | All variants | not possible |
| ILC 1x1 | All variants | >= FW 4.42 |
| ILC 1x1 GSM/GPRS | 2700977 | >= FW 4.42 |
| ILC 3xx | All variants | FW 3.98 |
| AXC 1050 | 2700988 | >= FW 3.01, FW 5.00 (WBM) |
| AXC 1050 XC | 2701295 | >= FW 3.01, FW 5.00 (WBM) |
| AXC 3050 | 2700989 | >= FW 5.60, FW 6.30 (WBM) |
| RFC 480S PN 4TX | 2404577 | FW 6.10 |
| RFC 470 PN 3TX | 2916600 | >= FW 4.20 |
| RFC 470S PN 3TX | 2916794 | >= FW 4.20 |
| RFC 460R PN 3TX | 2700784 | >= FW 5.00 |
| RFC 460R PN 3TX-S | 1096407 | FW 5.30 |
| RFC 430 ETH-IB | 2730190 | not possible |
| RFC 450 ETH-IB | 2730200 | not possible |
| PC WORX SRT | 2701680 | not possible |
| PC WORX RT BASIC | 2700291 | not possible |
| FC 350 PCI ETH | 2730844 | not possible |
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 07.08.2019 02:00 | Initial revision. |
| 2.0.0 | 21.06.2022 07:14 | final version. |
| 3.0.0 | 06.11.2024 12:27 | Fix: correct certvde domain, added alias, added self-reference |
| 4.0.0 | 12.02.2025 17:48 | Fix: corrected self-reference, fixed version |
| 5.0.0 | 22.05.2025 15:03 | Fix: version term, quotation mark |
| 6.0.0 | 04.06.2025 10:00 | Fix: Version Range |
| 6.0.1 | 11.07.2025 08:30 | Fixed vendor name in product tree. Switched to Semver versioning in document revisions. |
| 7.0.0 | 11.07.2025 09:00 | Increased major version due to changes to the product tree in the previous version. |