PHOENIX CONTACT FL SWITCH
Act Now9.8ICS-CERT ICSA-18-011-03Jan 11, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Remotely exploitable vulnerability in Phoenix Contact FL SWITCH devices (firmware versions 1.0 through 1.32). The vulnerability allows unauthenticated attackers to execute arbitrary commands on the device via the management interface. Affected devices include 27 FL SWITCH models used in industrial networks. Improper access controls and lack of input validation permit command execution without valid credentials.
What this means
What could happen
An attacker with network access to a vulnerable FL SWITCH device can execute arbitrary commands on the network switch, potentially disrupting communication between your control systems, SCADA equipment, and field devices. This could prevent operators from monitoring or controlling critical processes like water treatment, pump stations, or substation operations.
Who's at risk
Water authorities and electric utilities operating Phoenix Contact FL SWITCH devices in any production network, particularly those in critical control system paths such as water treatment plant SCADA networks, wastewater pump station automation, or electric substation communication networks. Any facility using these managed switches for industrial networking is affected.
How it could be exploited
An attacker on the network sends a specially crafted request to the FL SWITCH device's management interface. The switch lacks proper authentication and input validation, allowing the attacker to execute arbitrary commands remotely without needing valid credentials or credentials. Once commands execute on the switch, the attacker can reconfigure network routing, block traffic, or pivot to connected control systems.
Prerequisites
- Network access to the FL SWITCH management interface (typically port 80/443 or Ethernet)
- No valid credentials required
- Device running vulnerable firmware version 1.32 or earlier
Remotely exploitableNo authentication requiredLow skill level to exploitNo patch available for most affected modelsCritical CVSS score (9.8)Affects network infrastructure supporting safety systems
Exploitability
Moderate exploit probability (EPSS 1.2%)
Affected products (27)
1 with fix26 EOL
ProductAffected VersionsFix Status
FL SWITCH 3006T-2FX SM: firmware≥ 1.0 | ≤ 1.32No fix (EOL)
FL SWITCH 4012T-2GT-2FX ST: firmware≥ 1.0 | ≤ 1.32No fix (EOL)
FL SWITCH 4808E-16FX-4G: firmware≥ 1.0 | ≤ 1.32No fix (EOL)
FL SWITCH 4012T 2GT 2FX: firmware≥ 1.0 | ≤ 1.32No fix (EOL)
FL SWITCH 4008T-2GT-3FX SM: firmware≥ 1.0 | ≤ 1.32No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDImplement firewall rules to restrict access to FL SWITCH management ports (80, 443) to authorized engineering workstations only
WORKAROUNDDisable remote management access to switches if not actively required; require local console access for configuration
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade FL SWITCH firmware to version 1.33 or higher on all affected devices
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: FL SWITCH 3006T-2FX SM: firmware, FL SWITCH 4012T-2GT-2FX ST: firmware, FL SWITCH 4808E-16FX-4G: firmware, FL SWITCH 4012T 2GT 2FX: firmware, FL SWITCH 4008T-2GT-3FX SM: firmware, FL SWITCH 4808E-16FX SM LC-4GC: firmware, FL SWITCH 3016E: firmware, FL SWITCH 3006T-2FX: firmware, FL SWITCH 4000T-8POE-2SFP-R: firmware, FL SWITCH 3012E-2FX SM: firmware, FL SWITCH 3016: firmware, FL SWITCH 3008T: firmware, FL SWITCH 4008T-2GT-4FX SM: firmware, FL SWITCH 4808E-16FX ST-4GC: firmware, FL SWITCH 4808E-16FX LC-4GC: firmware, FL SWITCH 4800E-24FX-4GC: firmware, FL SWITCH 3012E-2SFX: firmware, FL SWITCH 4808E-16FX SM ST-4GC: firmware, FL SWITCH 4824E-4GC: firmware, FL SWITCH 3008: firmware, FL SWITCH 4008T-2SFP: firmware, FL SWITCH 4800E-24FX SM-4GC: firmware, FL SWITCH 3004T-FX: firmware, FL SWITCH 3004T-FX ST: firmware, FL SWITCH 3006T-2FX ST: firmware, FL SWITCH 3016T: firmware. Apply the following compensating controls:
HARDENINGSegment network switches onto a separate OT management network not directly reachable from corporate IT or untrusted networks
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/300ac311-70fb-44a3-8faa-955ea42d66ed