OTPulse

PHOENIX CONTACT FL COMSERVER, FL COM SERVER, and PSI-MODEM/ETH

Plan PatchCVSS 8.2ICS-CERT ICSA-17-341-03Dec 5, 2017
Phoenix Contact
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A cross-site scripting (XSS) vulnerability exists in the web management interfaces of Phoenix Contact FL COMSERVER (all variants: RS232, RS485, BAS, BASIC, UNI) and PSI-MODEM/ETH devices. The vulnerability is caused by insufficient input validation on web form fields. An attacker can inject malicious JavaScript code that executes in the context of an authenticated user's browser session, potentially allowing unauthorized actions such as changing device settings, rebooting the device, or disrupting serial communications. Affected firmware versions are < 1.99, 2.20, and 2.40 across all product variants.

What this means
What could happen
An attacker could inject malicious commands into web interface input fields, allowing them to interrupt or manipulate communication between networked automation devices. This could cause process disruption or loss of data integrity in industrial control systems.
Who's at risk
Any facility using Phoenix Contact FL COMSERVER or PSI-MODEM/ETH devices for remote terminal servers or serial-to-Ethernet gateways in industrial automation networks. These devices are commonly used in utilities, manufacturing, and critical infrastructure to manage serial communication (RS232/RS485/RS422) protocols over network connections. This affects both direct remote operations and integrated ICS monitoring/control environments.
How it could be exploited
An attacker sends a specially crafted request to the device's web interface with malicious input (e.g., through a form field or URL parameter). Because there is no input validation, the attacker's code executes in the context of other users' browser sessions. If a device operator or engineer visits the malicious page, their session could be hijacked or sensitive actions could be performed without their knowledge.
Prerequisites
  • Network access to the device's HTTP/HTTPS web interface (port 80/443 typical)
  • User interaction required: victim must visit or interact with a page containing the injected malicious code
Remotely exploitableLow complexity attackUser interaction requiredNo patch availableAffects device management interface
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (14)
7 with fix7 EOL
ProductAffected VersionsFix Status
FL COM SERVER RS232: firmware< 1.99 | 2.20 | 2.40No fix (EOL)
FL COMSERVER BAS 232/422/485-T: firmware< 1.99 | 2.20 | 2.40No fix (EOL)
FL COMSERVER BASIC 232/422/485: firmware< 1.99 | 2.20 | 2.40No fix (EOL)
FL COMSERVER UNI 232/422/485: firmware< 1.99 | 2.20 | 2.40No fix (EOL)
FL COM SERVER RS485: firmware< 1.99 | 2.20 | 2.40No fix (EOL)
PSI-MODEM/ETH: firmware< 1.99 | 2.20 | 2.40No fix (EOL)
FL COMSERVER BASIC 232/422/485<2.402.40
FL COMSERVER BASIC 232/422/485-T<2.402.40
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict network access to the web interface to authorized engineering workstations and administration networks using firewall rules or network segmentation
WORKAROUNDDisable the web interface entirely if it is not required for operations; revert to serial console or local management only
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement a web application firewall (WAF) or intrusion prevention system (IPS) rule to detect and block common cross-site scripting (XSS) injection patterns targeting these devices
HARDENINGTrain operators and engineers not to click links or access the device interface from untrusted sources; require access only from secured, known networks
View full CISA ICS-CERT advisory
API: /api/v1/advisories/6e11173e-35b3-4485-accf-96230722fb38

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.