ID CVE-2014-9195
Summary Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.
References
Vulnerable Configurations
  • Pheonix Contact Software MULTIPROG 5.0
    cpe:2.3:a:phoenixcontact-software:multiprog:5.0
  • Pheonix Contact Software MULTIPROG 5.0 Express Edition
    cpe:2.3:a:phoenixcontact-software:multiprog:5.0:-:-:-:express
  • Pheonix Contact Software MULTIPROG 5.0 Pro+ Edition
    cpe:2.3:a:phoenixcontact-software:multiprog:5.0:-:-:-:pro%2b
  • Pheonix Contact Software ProConOS eCLR
    cpe:2.3:o:phoenixcontact-software:proconos_eclr
  • cpe:2.3:o:phoenixcontact-software:proconos_eclr:-::-:-:single_chip
    cpe:2.3:o:phoenixcontact-software:proconos_eclr:-::-:-:single_chip
  • cpe:2.3:o:phoenixcontact-software:proconos_eclr:-::-:-:softplc
    cpe:2.3:o:phoenixcontact-software:proconos_eclr:-::-:-:softplc
  • cpe:2.3:o:phoenixcontact-software:proconos_eclr:-::-:-:visual_studio
    cpe:2.3:o:phoenixcontact-software:proconos_eclr:-::-:-:visual_studio
CVSS
Base: 7.5 (as of 21-01-2015 - 11:35)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Phoenix Contact ILC 150 ETH PLC Remote Control Script. CVE-2014-9195. Remote exploit for hardware platform
file exploits/hardware/remote/37066.py
id EDB-ID:37066
last seen 2016-02-04
modified 2015-05-20
platform hardware
port
published 2015-05-20
reporter Photubias
source https://www.exploit-db.com/download/37066/
title Phoenix Contact ILC 150 ETH PLC Remote Control Script
type remote
metasploit via4
description PhoenixContact Programmable Logic Controllers are built upon a variant of ProConOS. Communicating using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547. It allows a remote user to read out the PLC Type, Firmware and Build number on port TCP/1962. And also to read out the CPU State (Running or Stopped) AND start or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series) or on port TCP/20547 (confirmed ILC 39x series)
id MSF:AUXILIARY/ADMIN/SCADA/PHOENIX_COMMAND
last seen 2019-03-29
modified 2017-07-24
published 2016-05-17
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/scada/phoenix_command.rb
title PhoenixContact PLC Remote START/STOP Command
packetstorm via4
data source https://packetstormsecurity.com/files/download/131961/phoenixcontact-remotecontrol.txt
id PACKETSTORM:131961
last seen 2016-12-05
published 2015-05-19
reporter Photubias
source https://packetstormsecurity.com/files/131961/Phoenix-Contact-ILC-150-ETH-PLC-Remote-Control.html
title Phoenix Contact ILC 150 ETH PLC Remote Control
refmap via4
exploit-db 37066
misc https://ics-cert.us-cert.gov/advisories/ICSA-15-013-03
Last major update 22-01-2015 - 10:18
Published 16-01-2015 - 21:59
Last modified 29-11-2018 - 09:43
Back to Top