CVE-2014-9195
published 2015-01-17CVE-2014-9195: Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant…
PriorityP180high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
81.13%
99.6th percentile
Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phoenix_contact | multiprog | — | — |
| phoenix_contact | proconos | — | — |
| phoenixcontact-software | multiprog | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0101001a005e000000000003000c494245544830314e305f4d00
bytes↗
010002000000080003000300000000000200000002400b40
bytes↗
0100020000001c0003000300000000000c00000007000500060008001000020011000e000f000d0016401600
bytes↗
01000200000000000100070000000000
bytes↗
010002000000020001000600000000000100
bytes↗
010002000000020001000600000000000200
bytes↗
010002000000020001000600000000000300
bytes↗
010002000000020003000100000000000840
bytes↗
0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200
- →Monitor for unauthenticated TCP connections to ports 1962, 41100, and 20547 on ICS/SCADA networks — these are the proprietary ProConOS protocol ports used for PLC enumeration and control without any authentication challenge. ↗
- →Detect the ProConOS initialization handshake by inspecting TCP payloads on port 41100 for the ASCII string 'Ade.Remoting.Services.IProConOSControlService2' (hex-encoded in the binary stream), which is sent as part of the unauthenticated session setup. ↗
- →Alert on TCP sessions to port 1962 that send the known PLC info-query byte sequence starting with '0101001a005e' — this is the initial enumeration packet used to retrieve PLC type, firmware version, and build date without authentication. ↗
- →Detect PLC STOP commands on TCP/41100 by matching the payload byte sequence '01000200000000000100070000000000', and COLD/WARM/HOT START commands matching '010002000000020001000600000000000[1-3]00'. ↗
- →The protocol sends no authentication tokens at any stage; any external or unexpected source IP initiating a full multi-packet session to TCP/1962 followed by TCP/41100 or TCP/20547 should be treated as a potential exploitation attempt. ↗
- ·The exploit targets ALL firmware versions of the affected Phoenix Contact ILC 150 ETH PLC; there is no patched firmware version to filter on — all versions are vulnerable. ↗
- ·Port TCP/41100 is confirmed for ILC 15x and 17x series; port TCP/20547 is confirmed for ILC 39x series. Detection rules should cover both ports to account for different hardware variants. ↗
- ·The initMonitor function sends 21 packets before any control action; partial session detection (e.g., only seeing keepalive packets) may miss the attack. Full session reassembly is needed for reliable detection. ↗
- ·Phoenix Contact Software intentionally designed the protocol without authentication, expecting downstream vendors to add their own. Detection cannot rely on authentication failures as an indicator — absence of any auth exchange IS the vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Phoenix Contact Software ProConOs and MultiProg Authentication Vulnerability
cisa_ics·2019-01-24
Phoenix Contact Software ProConOs and MultiProg Authentication Vulnerability
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Phoenix Contact Software ProConOs and MultiProg Authentication Vulnerability
Last RevisedJanuary 24, 2019
Alert CodeICSA-15-013-03
## OVERVIEW
Reid Wightman of Digital Bond has identified an authentication vulnerability in Phoenix Contact Software’s ProConOs and MultiProg applications. KW-Software originally wrote these applications without authentication intentionally.
This vulnerability could be exploited remotely.
## AFFECTED PRODUCTS
The following applications are affected:
- ProConOs all versions, and
- MultiProg all versions.
## IMPACT
An exploitation of this vulner
GHSA
GHSA-qp5x-q9h8-gxm5: Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-complia
ghsa_unreviewed·2022-05-14
CVE-2014-9195 [HIGH] CWE-306 GHSA-qp5x-q9h8-gxm5: Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-complia
Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.
No detection rules found.
Exploit-DB
Phoenix Contact ILC 150 ETH PLC - Remote Control Script
exploitdb·2015-05-20·CVSS 10.0
CVE-2014-9195 [CRITICAL] Phoenix Contact ILC 150 ETH PLC - Remote Control Script
Phoenix Contact ILC 150 ETH PLC - Remote Control Script
---
#!/usr/bin/env python
'''
# Exploit Title: Phoenix Contact ILC 150 ETH PLC Remote Control script
# Date: 2015-05-19
# Exploit Author: Photubias - tijl[dot]deneut[at]howest[dot]be
# Vendor Homepage: https://www.phoenixcontact.com/online/portal/us?urile=pxc-oc-itemdetail:pid=2985330
# Version: ALL FW VERSIONS
# Tested on: Python runs on Windows, Linux
# CVE : CVE-2014-9195
Copyright 2015 Photubias(c)
Written for Howest(c) University College
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it wil
Metasploit
PhoenixContact PLC Remote START/STOP Command
metasploit
PhoenixContact PLC Remote START/STOP Command
PhoenixContact PLC Remote START/STOP Command
PhoenixContact Programmable Logic Controllers are built upon a variant of ProConOS. Communicating using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547. It allows a remote user to read out the PLC Type, Firmware and Build number on port TCP/1962. And also to read out the CPU State (Running or Stopped) AND start or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series) or on port TCP/20547 (confirmed ILC 39x series)
2015-01-17
Published