The build settings of a PLCnext Engineer project (.pcwex) can be manipulated in a way that can result in the execution of remote code.
The attacker needs to get access to a PLCnext Engineer project to be able to manipulate files inside. Additionally, the files of the remote code need to be transferred to a location which can be accessed by the PC that runs PLCnext Engineer. When PLCnext Engineer runs a build process of the manipulated project the remote code can be executed.
In PHOENIX CONTACT PLCnext Engineer version 2020.3.1 and earlier an improper path sanitation vulnerability exists on import of project files.
Availability, integrity, or confidentiality of an engineering workstation might be compromised by attacks using these vulnerabilities.
Phoenix Contact strongly recommends updating to the latest version PLCnext Enineer 2020.6 or
higher, which fixes this vulnerability.
Temporary Fix / Mitigation
We strongly recommend customers to exchange project files only using secure file exchange
services. Project files should not be exchanged via unencrypted email. Users should avoid
importing project files from unknown source and exchange or store project files together with a
checksum to ensure their integrity.
This vulnerability was discovered and reported by Amir Preminger of Claroty.
PHOENIX CONTACT reported the vulnerability to CERT@VDE.