CVE-2014-9195

Phoenix Contact ProConOs & MultiProg - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-9195. PoCs published by Photubias, including Metasploit module auxiliary/admin/scada/phoenix_command.

AI-analyzed exploit summary This exploit demonstrates unauthorized control over Phoenix Contact ILC 150 ETH PLC by sending crafted packets to manipulate the PLC state (start/stop). It interacts with the device via ports 1962 and 41100 to query and alter its operational status.

Description

Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Photubias · pythonremotehardware

https://www.exploit-db.com/exploits/37066

View Code ZIP pw:eip

This exploit demonstrates unauthorized control over Phoenix Contact ILC 150 ETH PLC by sending crafted packets to manipulate the PLC state (start/stop). It interacts with the device via ports 1962 and 41100 to query and alter its operational status.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Phoenix Contact ILC 150 ETH PLC (all firmware versions)

No auth needed

Prerequisites: Network access to the target PLC · Open ports 1962 and 41100 on the target

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1046 - Network Service Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/scada/phoenix_command.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in PhoenixContact PLCs to send START/STOP commands to the CPU without authentication. It communicates over proprietary protocols on TCP ports 1962, 41100, or 20547.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: PhoenixContact PLC (ILC 15x, 17x, 39x series)

No auth needed

Prerequisites: Network access to target PLC · TCP ports 1962, 41100, or 20547 open

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/37066/

Third Party Advisory, US Government Resource

https://ics-cert.us-cert.gov/advisories/ICSA-15-013-03

Third Party Advisory, US Government Resource

https://www.cisa.gov/news-events/ics-advisories/icsa-15-013-03

Scores

EPSS 0.8249

EPSS Percentile 99.3%

Details

CWE

CWE-255 CWE-306

Status published

Products (4)

Phoenix Contact/MultiProg All versions

Phoenix Contact/ProConOs All versions

phoenixcontact-software/multiprog 5.0 (3 CPE variants)

phoenixcontact-software/proconos_eclr (4 CPE variants)

Published Jan 17, 2015

Tracked Since Feb 18, 2026