CVE-2019-9201 in ILC 131 ETH
Summary
by MITRE
Multiple Phoenix Contact devices allow remote attackers to establish TCP sessions to port 1962 and obtain sensitive information or make changes, as demonstrated by using the Create Backup feature to traverse all directories.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/03/2026
The vulnerability identified as CVE-2019-9201 affects a series of industrial control devices manufactured by Phoenix Contact including various ILC and AXC models. These devices operate within critical infrastructure environments where security is paramount for maintaining operational integrity and preventing unauthorized access to industrial processes. The affected devices are designed for industrial automation and control applications, making them potential targets for adversaries seeking to compromise industrial systems through network-based attacks.
This vulnerability stems from inadequate access controls and authentication mechanisms within the device's network services. Specifically, the devices allow remote attackers to establish TCP connections to port 1962 without proper authentication, creating an attack surface that enables unauthorized access to sensitive system information and functionality. The flaw manifests through the Create Backup feature which, when exploited, permits directory traversal attacks that can access files and directories beyond the intended scope of the backup operation. This represents a fundamental failure in input validation and access control implementation that violates basic security principles.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass potential system compromise and operational disruption. Attackers can leverage this vulnerability to gain unauthorized access to system configurations, operational data, and potentially manipulate industrial processes. The directory traversal capability particularly concerning as it allows attackers to access sensitive files that may contain system credentials, configuration parameters, or operational data that could be used to further compromise the industrial control environment. This vulnerability directly impacts the confidentiality, integrity, and availability of industrial control systems, potentially leading to production disruptions, safety hazards, or unauthorized process modifications.
The security implications of this vulnerability align with CWE-22 (Improper Limiting of a Pathname to a Restricted Directory) and CWE-287 (Improper Authentication), which are commonly exploited in industrial control system attacks. From an ATT&CK framework perspective, this vulnerability maps to techniques including T1105 (Remote File Copy) and T1078 (Valid Accounts) as attackers can leverage the unauthorized access to move laterally within the network or establish persistent access. The vulnerability also represents a critical weakness in the defense-in-depth strategy for industrial control systems, as it allows attackers to bypass fundamental security controls that should protect critical operational technology environments. Organizations should implement immediate mitigations including network segmentation, firewall rules to block access to port 1962, and firmware updates from the vendor to address this vulnerability. Additionally, regular security assessments and monitoring of industrial control system network traffic should be conducted to detect potential exploitation attempts and maintain operational security posture.