CVE-2019-16675
Description
An out-of-bounds read in PHOENIX CONTACT PC Worx, PC Worx Express, and Config+ up to version 1.86 allows remote code execution via a manipulated project file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in PHOENIX CONTACT PC Worx, PC Worx Express, and Config+ up to version 1.86 allows remote code execution via a manipulated project file.
Vulnerability
An out-of-bounds read vulnerability exists in the parsing of MWT and BCP files by PHOENIX CONTACT Automationworx Software Suite, specifically in PC Worx through version 1.86, PC Worx Express through version 1.86, and Config+ through version 1.86 [1][2][3]. The flaw results from improper validation of user-supplied data, which can cause a read past the end of an allocated buffer when handling MWT files or a memory corruption condition when parsing BCP files [1][2]. A manipulated PC Worx or Config+ project file can trigger the vulnerability [3].
Exploitation
An attacker must gain access to an original PC Worx or Config+ project file, manipulate the data inside, and then exchange the original files with the manipulated ones on the application programming workstation [3]. The target must then open the malicious file using the affected software, as user interaction is required [1][2]. The attacker does not need prior authentication, but local access to the workstation is implied by the file exchange step [3].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current process on the application programming workstation [1][2]. This can compromise the confidentiality, integrity, or availability of the workstation, but automated systems programmed using the affected products are not directly impacted [3]. The CVSS v3 base score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on all CIA aspects [2][3].
Mitigation
As of the publication of this CVE, an updated version of the Automationworx Software Suite was expected before the end of 2019 [3]. Prior to receiving the update, Phoenix Contact strongly recommends exchanging project files only via secure file exchange services and not through unencrypted email [3]. The upcoming release will include more robust validation of arrays regarding dimension and number of elements during input data conversion [3]. No public evidence of this CVE being listed on the CISA Known Exploited Vulnerabilities (KEV) catalog was found in the provided references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- PHOENIX CONTACT/PC Worxdescription
- Range: <=1.86
- Range: <=1.86
- Range: <=1.86
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- cert.vde.com/en-us/advisoriesmitrex_refsource_MISC
- www.us-cert.gov/ics/advisories/icsa-19-302-01mitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-19-922/mitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-19-991/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.