CVE-2022-31801
published 2022-06-21CVE-2022-31801: An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device.
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.03%
59.4th percentile
An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phoenix_contact | multiprog | — | — |
| phoenix_contact | proconos | — | — |
| phoenix_contact | proconos_eclr | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated logic upload attempts to ProConOS/ProConOS eCLR-based controllers — the vulnerability allows arbitrary code upload with no authentication or integrity check required ↗
- →Alert on any logic/program upload traffic to industrial controllers running ProConOS or MULTIPROG from unexpected or external sources, particularly where no authentication exchange is observed ↗
- →Flag engineering-tool-to-controller communication sessions originating outside of locally protected or VPN-secured environments as potentially malicious ↗
- ·No known public exploits exist at time of advisory publication, reducing immediate weaponized-exploit detection surface but not eliminating risk from targeted actors ↗
- ·The vulnerability is in the SDK itself; downstream OEM devices built on ProConOS/ProConOS eCLR are also affected — detection scope must extend beyond Phoenix Contact-branded products to any device using this SDK ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jgp8-hj42-f7f6: An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the
ghsa_unreviewed·2022-06-22
CVE-2022-31801 [CRITICAL] CWE-345 GHSA-jgp8-hj42-f7f6: An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the
An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device.
CISA ICS
Phoenix Contact ProConOS and MULTIPROG
cisa_ics·2022-06-21·CVSS 9.8
[CRITICAL] Phoenix Contact ProConOS and MULTIPROG
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Phoenix Contact ProConOS and MULTIPROG
Last RevisedJune 21, 2022
Alert CodeICSA-22-172-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Phoenix Contact
- Equipment: ProConOS/ProConOS eCLR and MULTIPROG
- Vulnerability: Insufficient Verification of Data Authenticity
CISA is aware of a public report, known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations fo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-06-21
Published