cbcvebase.
CVE-2014-9195
published 2015-01-17

CVE-2014-9195: Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant…

PriorityP180high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
81.13%
99.6th percentile
Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.

Affected

3 ranges
VendorProductVersion rangeFixed in
phoenix_contactmultiprog
phoenix_contactproconos
phoenixcontact-softwaremultiprog

Detection & IOCsextracted from sources · hover to see the quote

portTCP/1962
portTCP/41100
portTCP/20547
bytes
0101001a005e000000000003000c494245544830314e305f4d00
bytes
010002000000080003000300000000000200000002400b40
bytes
0100020000001c0003000300000000000c00000007000500060008001000020011000e000f000d0016401600
bytes
01000200000000000100070000000000
bytes
010002000000020001000600000000000100
bytes
010002000000020001000600000000000200
bytes
010002000000020001000600000000000300
bytes
010002000000020003000100000000000840
bytes
0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200
  • Monitor for unauthenticated TCP connections to ports 1962, 41100, and 20547 on ICS/SCADA networks — these are the proprietary ProConOS protocol ports used for PLC enumeration and control without any authentication challenge.
  • Detect the ProConOS initialization handshake by inspecting TCP payloads on port 41100 for the ASCII string 'Ade.Remoting.Services.IProConOSControlService2' (hex-encoded in the binary stream), which is sent as part of the unauthenticated session setup.
  • Alert on TCP sessions to port 1962 that send the known PLC info-query byte sequence starting with '0101001a005e' — this is the initial enumeration packet used to retrieve PLC type, firmware version, and build date without authentication.
  • Detect PLC STOP commands on TCP/41100 by matching the payload byte sequence '01000200000000000100070000000000', and COLD/WARM/HOT START commands matching '010002000000020001000600000000000[1-3]00'.
  • The protocol sends no authentication tokens at any stage; any external or unexpected source IP initiating a full multi-packet session to TCP/1962 followed by TCP/41100 or TCP/20547 should be treated as a potential exploitation attempt.
  • ·The exploit targets ALL firmware versions of the affected Phoenix Contact ILC 150 ETH PLC; there is no patched firmware version to filter on — all versions are vulnerable.
  • ·Port TCP/41100 is confirmed for ILC 15x and 17x series; port TCP/20547 is confirmed for ILC 39x series. Detection rules should cover both ports to account for different hardware variants.
  • ·The initMonitor function sends 21 packets before any control action; partial session detection (e.g., only seeing keepalive packets) may miss the attack. Full session reassembly is needed for reliable detection.
  • ·Phoenix Contact Software intentionally designed the protocol without authentication, expecting downstream vendors to add their own. Detection cannot rely on authentication failures as an indicator — absence of any auth exchange IS the vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.