CVE-2014-9195

Phoenix Contact ILC 150 ETH PLC - Remote Control Script

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.

Phoenix Contact ProConOs y MultiProg no requieren autenticación, lo que permite a atacantes remotos ejecutar comandos arbitrarios a través de trafico conforme con el protocolo.

PhoenixContact Programmable Logic Controllers are built upon a variant of ProConOS. Communicating using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547. It allows a remote user to read out the PLC Type, Firmware and Build number on port TCP/1962. And also to read out the CPU State (Running or Stopped) AND start or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series) or on port TCP/20547 (confirmed ILC 39x series).

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-12-02 CVE Reserved
2015-01-17 CVE Published
2015-05-19 First Exploit
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-255: Credentials Management Errors

CAPEC

References (4)

URL	Tag	Source
https://ics-cert.us-cert.gov/advisories/ICSA-15-013-03	Third Party Advisory

URL	Date	SRC
https://packetstorm.news/files/id/180781	2024-08-31
https://packetstorm.news/files/id/131961	2015-05-19
https://www.exploit-db.com/exploits/37066	2024-08-06

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Phoenixcontact-software Search vendor "Phoenixcontact-software"		Multiprog Search vendor "Phoenixcontact-software" for product "Multiprog"				5.0 Search vendor "Phoenixcontact-software" for product "Multiprog" and version "5.0"		-		Affected
Phoenixcontact-software Search vendor "Phoenixcontact-software"		Multiprog Search vendor "Phoenixcontact-software" for product "Multiprog"				5.0 Search vendor "Phoenixcontact-software" for product "Multiprog" and version "5.0"		express		Affected
Phoenixcontact-software Search vendor "Phoenixcontact-software"		Multiprog Search vendor "Phoenixcontact-software" for product "Multiprog"				5.0 Search vendor "Phoenixcontact-software" for product "Multiprog" and version "5.0"		pro\+		Affected
Phoenixcontact-software Search vendor "Phoenixcontact-software"		Proconos Eclr Search vendor "Phoenixcontact-software" for product "Proconos Eclr"				*		-		Affected
Phoenixcontact-software Search vendor "Phoenixcontact-software"		Proconos Eclr Search vendor "Phoenixcontact-software" for product "Proconos Eclr"				*		single_chip		Affected
Phoenixcontact-software Search vendor "Phoenixcontact-software"		Proconos Eclr Search vendor "Phoenixcontact-software" for product "Proconos Eclr"				*		softplc		Affected
Phoenixcontact-software Search vendor "Phoenixcontact-software"		Proconos Eclr Search vendor "Phoenixcontact-software" for product "Proconos Eclr"				*		visual_studio		Affected