CVE-2019-9201

Vulnerability

Multiple Phoenix Contact Classic Line industrial controllers (ILC1x0 and ILC1x1 product families) and AXIOLINE controllers (AXC1050 and AXC3050) expose a TCP service on port 1962 without authentication [1]. This service provides device management and configuration functionality, including a Create Backup feature that allows traversal of all directories on the device. Affected firmware versions are those shipped with these controller families before the security advisory update (VDE-2019-015) published on 2019-08-07 [1].

Exploitation

An attacker with network access to the target device’s port 1962 can establish a TCP session and interact with the unauthenticated management service. No prior authentication or special privileges are required. By invoking the Create Backup feature, the attacker can traverse directory paths to access or exfiltrate files. The attack does not require user interaction or any prerequisite configuration changes on the device [1].

Impact

Successful exploitation allows a remote unauthenticated attacker to read and download device code, configuration files, and other sensitive data via directory traversal. Furthermore, the attacker can modify device configuration, start or stop services, update or modify firmware, or cause a denial of service by shutting down the device [1]. This compromises the confidentiality, integrity, and availability of the controller and the industrial process it manages.

Mitigation

Phoenix Contact has published a security advisory (VDE-2019-015) and an application note describing how to disable unauthorized communication ports. Affected users should restrict network access to port 1962, ideally by isolating the controllers within a closed industrial network or applying firewall rules. No firmware patch is mentioned in the reference [1]; the recommended mitigation is network segmentation and disabling unused ports as per the vendor’s guidance [1].