CVE-2014-9195
CVE-2014-9195 is a critical-severity vulnerability in Phoenixcontact-software Multiprog with a CVSS 2.0 base score of 10.0. Its EPSS exploit-prediction score of 81% places it in the 100th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-306.
Key facts
- Severity: Critical (CVSS 2.0 base score 10.0)
- EPSS exploit prediction: 81% (100th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-306
- Affected product: Phoenixcontact-software Multiprog
- Published:
- Last modified:
Description
Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.
Frequently asked questions
- What is CVE-2014-9195?
- Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.
- How severe is CVE-2014-9195?
- CVE-2014-9195 has a CVSS 2.0 base score of 10.0, rated critical severity.
- Is CVE-2014-9195 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 81% (100th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2014-9195?
- CVE-2014-9195 primarily affects Phoenixcontact-software Multiprog. In total, 7 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2014-9195?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2014-9195 published?
- CVE-2014-9195 was published on 2015-01-17 and last updated on 2026-06-17.
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-15-013-03
- https://www.exploit-db.com/exploits/37066/
- https://ics-cert.us-cert.gov/advisories/ICSA-15-013-03
Affected products (7)
- cpe:2.3:a:phoenixcontact-software:multiprog:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phoenixcontact-software:multiprog:5.0:*:*:*:express:*:*:*
- cpe:2.3:a:phoenixcontact-software:multiprog:5.0:*:*:*:pro\+:*:*:*
- cpe:2.3:o:phoenixcontact-software:proconos_eclr:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact-software:proconos_eclr:*:*:*:*:single_chip:*:*:*
- cpe:2.3:o:phoenixcontact-software:proconos_eclr:*:*:*:*:softplc:*:*:*
- cpe:2.3:o:phoenixcontact-software:proconos_eclr:*:*:*:*:visual_studio:*:*:*
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →