Industrial Control Systems (ICS) and Programmable Logic Controllers (PLCs) quietly run all sorts of critical infrastructure—factories, energy plants, water supplies. Many of these rely on ProConOS and ProConOS eCLR, two real-time operating systems made by KW-Software and used by many big automation brands. In May 2022, a severe vulnerability (CVE-2022-31801) was discovered that allows an unauthenticated attacker, anywhere on the network, to upload their own code—or "logic"—onto any PLC running these OSs. This post dives into exactly how this works, steps attackers use, reference resources, PoC code, and most importantly, how to defend your systems.

Table of Contents

1. [What is ProConOS/ProConOS eCLR?](#proconos-intro)

[References & Further Reading](#references)


## 1. What is ProConOS/ProConOS eCLR?

ProConOS (Process Control Operating System) and its newer version, eCLR (embedded Control Runtime), are real-time OSs embedded in many brands of PLCs sold by Phoenix Contact, Siemens, WAGO, Turck, and more. These are the brains that run process automation in factories, buildings, critical infrastructure, and beyond.


CVSS Score: 10. (Critical)

- Affected Products: Many PLCs running ProConOS/ProConOS eCLR before certain patched versions

Brief:

A remote attacker with network access can upload arbitrary logic (PLC code) without authentication, effectively taking over the device.

In plain English: Anyone on the network, or through certain exposed IPs, can create their own PLC program and upload it—no need for a password. This lets them steal data, turn on/off machinery, or brick the device.


3. How the Exploit Works

ProConOS-based PLCs accept logic/program uploads over the network using several methods, typically via dedicated ports (often 120/tcp or 1962/tcp). Normally, only trusted software (like CODESYS IDE or proprietary clients) uploads logic, and there *should* be authentication. But CVE-2022-31801 exists because:

Here’s the basic attack flow

1. The attacker crafts a malicious logic program (can be any valid PLC logic, written in IEC 61131-3 languages—ST, LD, etc).
2. The attacker finds the PLC's IP and port (often via network scan/mapping).
3. The attacker connects, typically via a protocol like TCP, and sends their logic as if they were a legitimate engineering workstation.

The logic is accepted, replacing the legitimate process control program.

5. Attacker’s program can instruct the PLC to perform any action, such as releasing chemicals, shutting valves, blinding sensors, or launching further malware.


Example: Proof of Concept Upload Script (Python, using raw sockets)

The exact upload protocol is proprietary and can differ, but the following demonstrates the basics of a raw send—in reality, a true exploit needs to reverse or mimic the proprietary protocol details.

import socket

# Target PLC's network info (change as necessary)
PLC_IP = "192.168.1.100"
PLC_PORT = 1962   # Typical ProConOS port; check your device

# Example: Sample logic payload, replace with actual binary logic file
with open("malicious_logic.bin", "rb") as f:
    logic_payload = f.read()

# Send payload to PLC
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((PLC_IP, PLC_PORT))
s.sendall(logic_payload)
print("Malicious logic uploaded!")
s.close()


> Note: You need to generate a correct binary PLC "logic" payload file yourself, using reverse-engineered protocol or tools that build code for a ProConOS device.


5. Real-World Impact

- Industrial Sabotage: Attacker can halt production, cause unsafe machinery states, or damage equipment.

Data Manipulation: Change process values, spoof readings, hide alarms.

- Persistence and Backdoors: Attacker logic may disable future legitimate uploads except from their own client.

Staging Attacks: The attacker can use the PLC to pivot further into the plant network.

Example scenario:  
A hacker inside the company WiFi or with access via poorly configured firewall scans for PLC ports, uploads logic that disables safety interlocks, then commands machinery to operate unsafely. In the worst case, this can cause real-world damage or outages.


Check with your PLC vendor for security patches that address CVE-2022-31801.

- Example: WAGO Security Advisory

Isolate Networks:

Keep control networks (where PLCs live) completely isolated from business/office networks and the internet.

Vendor Guidance:

See Phoenix Contact Advisory


7. References & Further Reading

- ICS-CERT Advisory ICSA-22-194-02  
- Phoenix Contact: CVE-2022-31801 Response  
- WAGO Security Notifications
- CVE Details - CVE-2022-31801
- Popular Technical Writeup (German)

Conclusion

CVE-2022-31801 is a clear demonstration of why classic PLCs and ICS devices shouldn’t be directly exposed—even inside your local company network. Patch, segment, and monitor, or face the real possibility of remote sabotage. If you run anything with ProConOS or ProConOS eCLR, get in touch with your vendor, update firmware, and audit your plant’s network security now.


> *Spread awareness. Critical infrastructure needs all the help it can get!*

---
*Original content by Assistant. If sharing, link back to this post to help educate others on industrial cyber hygiene.*

Timeline

Published on: 06/21/2022 08:15:00 UTC
Last modified on: 06/28/2022 17:45:00 UTC