CVE-2019-12871

Vulnerability

A Use-After-Free vulnerability has been discovered in PHOENIX CONTACT PC Worx through version 1.86, PC Worx Express through version 1.86, and Config+ through version 1.86 [1]. The flaw exists within the parsing of BCP files, where the application fails to validate the existence of an object prior to performing operations on it [1]. The attacker must first obtain an original project file from the target workstation, manipulate it, and then replace the original file with the tampered one [1][2].

Exploitation

Exploitation requires user interaction, specifically the target user must open the malicious project file, either by visiting a malicious page or opening the manipulated file directly [1]. The attacker needs local access to the application programming workstation to exchange the original file with the modified one [1][2]. No authentication is needed to trigger the vulnerability once the user opens the file, and the attack vector is local, meaning the attacker must have some degree of access to the system or rely on social engineering [1].

Impact

Successful exploitation leads to remote code execution in the context of the current process [1]. The CVSS v3 base score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability [1]. The attacker effectively gains the ability to execute arbitrary code on the affected workstation.

Mitigation

As of the available references, no fixed version has been published. The vendor was notified and the vulnerability disclosed via ZDI in June 2019 [1]. Users should ensure that project files are obtained from trusted sources and avoid opening files from untrusted origins [1][2]. If a patch becomes available, it should be applied immediately. No workaround other than cautious file handling is documented.