CVE-2021-33542

Name of the Vulnerable Software and Affected Versions Phoenix Contact Classic Automation Worx Software Suite versions 1.87 and below

Description The issue concerns a remote code execution vulnerability. Manipulated PC Worx or Config+ projects could lead to remote code execution when unallocated memory is freed due to incompletely initialized data. An attacker needs access to an original bus configuration file (*.bcp) to manipulate data inside. After manipulation, the attacker must exchange the original file with the manipulated one on the application programming workstation. This could compromise the availability, integrity, or confidentiality of an application programming workstation. Automated systems in operation programmed with the mentioned products are not affected.

Recommendations For Phoenix Contact Classic Automation Worx Software Suite versions 1.87 and below, consider restricting access to the *.bcp files to minimize the risk of exploitation. As a temporary workaround, limit the ability to exchange original files with manipulated ones on the application programming workstation until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.