CVE-2022-31801 - Vulnerability Details - OpenCVE

An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Phoenixcontact	Multiprog Proconos
Phoenixcontact-software	Proconos Eclr

Configuration 1 [-]

OR	cpe:2.3:a:phoenixcontact:multiprog::::::::
	cpe:2.3:o:phoenixcontact:proconos::::::::
	cpe:2.3:o:phoenixcontact-software:proconos_eclr:-:::::::*

No data.

References

Link	Providers
https://cert.vde.com/en/advisories/VDE-2022-026/

History

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2022-06-21T08:00:31.688Z

Updated: 2026-06-02T20:16:11.339Z

Reserved: 2022-05-30T00:00:00.000Z

Link: CVE-2022-31801

Vulnrichment

Updated: 2024-08-03T07:26:01.136Z

NVD

Status : Modified

Published: 2022-06-21T08:15:07.587

Modified: 2024-11-21T07:05:21.537

Link: CVE-2022-31801

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "MULTIPROG", "vendor": "PHOENIX CONTACT", "versions": [{"status": "affected", "version": "All Versions"}]}, {"product": "ProConOS", "vendor": "PHOENIX CONTACT", "versions": [{"status": "affected", "version": "All Versions"}]}, {"product": "ProConOS eCLR", "vendor": "PHOENIX CONTACT", "versions": [{"status": "affected", "version": "All Versions"}]}], "credits": [{"lang": "en", "value": "This vulnerability was reported by Forescout."}], "datePublic": "2022-06-21T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-21T08:00:31.000Z", "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://cert.vde.com/en/advisories/VDE-2022-026/"}], "source": {"advisory": "VDE-2022-026", "discovery": "EXTERNAL"}, "title": "Insufficient Verification of Data Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "info@cert.vde.com", "DATE_PUBLIC": "2022-06-21T07:00:00.000Z", "ID": "CVE-2022-31801", "STATE": "PUBLIC", "TITLE": "Insufficient Verification of Data Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MULTIPROG", "version": {"version_data": [{"version_affected": "=", "version_name": "All Versions", "version_value": "All Versions"}]}}, {"product_name": "ProConOS", "version": {"version_data": [{"version_affected": "=", "version_name": "All Versions", "version_value": "All Versions"}]}}, {"product_name": "ProConOS eCLR", "version": {"version_data": [{"version_affected": "=", "version_name": "All Versions", "version_value": "All Versions"}]}}]}, "vendor_name": "PHOENIX CONTACT"}]}}, "credit": [{"lang": "eng", "value": "This vulnerability was reported by Forescout."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-345 Insufficient Verification of Data Authenticity"}]}]}, "references": {"reference_data": [{"name": "https://cert.vde.com/en/advisories/VDE-2022-026/", "refsource": "CONFIRM", "url": "https://cert.vde.com/en/advisories/VDE-2022-026/"}]}, "source": {"advisory": "VDE-2022-026", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:26:01.136Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert.vde.com/en/advisories/VDE-2022-026/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-02T19:55:07.271340Z", "id": "CVE-2022-31801", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-02T20:16:11.339Z"}}]}, "cveMetadata": {"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "assignerShortName": "CERTVDE", "cveId": "CVE-2022-31801", "datePublished": "2022-06-21T08:00:31.688Z", "dateReserved": "2022-05-30T00:00:00.000Z", "dateUpdated": "2026-06-02T20:16:11.339Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2022-026/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:26:01.136Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-31801", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-02T19:55:07.271340Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-02T19:54:59.405Z"}}], "cna": {"title": "Insufficient Verification of Data Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool", "source": {"advisory": "VDE-2022-026", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "This vulnerability was reported by Forescout."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "PHOENIX CONTACT", "product": "MULTIPROG", "versions": [{"status": "affected", "version": "All Versions"}]}, {"vendor": "PHOENIX CONTACT", "product": "ProConOS", "versions": [{"status": "affected", "version": "All Versions"}]}, {"vendor": "PHOENIX CONTACT", "product": "ProConOS eCLR", "versions": [{"status": "affected", "version": "All Versions"}]}], "datePublic": "2022-06-21T00:00:00.000Z", "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2022-026/", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2022-06-21T08:00:31.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "This vulnerability was reported by Forescout."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "VDE-2022-026", "discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "All Versions", "version_value": "All Versions", "version_affected": "="}]}, "product_name": "MULTIPROG"}, {"version": {"version_data": [{"version_name": "All Versions", "version_value": "All Versions", "version_affected": "="}]}, "product_name": "ProConOS"}, {"version": {"version_data": [{"version_name": "All Versions", "version_value": "All Versions", "version_affected": "="}]}, "product_name": "ProConOS eCLR"}]}, "vendor_name": "PHOENIX CONTACT"}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://cert.vde.com/en/advisories/VDE-2022-026/", "name": "https://cert.vde.com/en/advisories/VDE-2022-026/", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-345 Insufficient Verification of Data Authenticity"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-31801", "STATE": "PUBLIC", "TITLE": "Insufficient Verification of Data Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool", "ASSIGNER": "info@cert.vde.com", "DATE_PUBLIC": "2022-06-21T07:00:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2022-31801", "state": "PUBLISHED", "dateUpdated": "2026-06-02T20:16:11.339Z", "dateReserved": "2022-05-30T00:00:00.000Z", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "datePublished": "2022-06-21T08:00:31.688Z", "assignerShortName": "CERTVDE"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phoenixcontact:multiprog:*:*:*:*:*:*:*:*", "matchCriteriaId": "42452860-CB53-479D-ADE1-E8166EC834C4", "vulnerable": true}, {"criteria": "cpe:2.3:o:phoenixcontact:proconos:*:*:*:*:*:*:*:*", "matchCriteriaId": "80770720-B149-44CA-B6CA-25EB8C9A115C", "vulnerable": true}, {"criteria": "cpe:2.3:o:phoenixcontact-software:proconos_eclr:-:*:*:*:*:*:*:*", "matchCriteriaId": "4CDFE3B8-1A42-4E5E-92BD-5F1B07EF0377", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device."}, {"lang": "es", "value": "Un atacante remoto no autenticado podr\u00eda cargar l\u00f3gica maliciosa en los dispositivos basados en ProConOS/ProConOS eCLR para conseguir el control total del dispositivo"}], "id": "CVE-2022-31801", "lastModified": "2024-11-21T07:05:21.537", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "info@cert.vde.com", "type": "Secondary"}]}, "published": "2022-06-21T08:15:07.587", "references": [{"source": "info@cert.vde.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2022-026/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2022-026/"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "info@cert.vde.com", "type": "Secondary"}]}