PHOENIX CONTACT FL SWITCH 3xxx/4xxx/48xx Series

Act Now9.1ICS-CERT ICSA-18-137-02May 17, 2018

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Phoenix Contact FL SWITCH 3xxx, 4xxx, and 48xx series switches running firmware versions 1.0 through 1.32 contain multiple vulnerabilities (CWE-77 command injection, CWE-200 information exposure, CWE-121 buffer overflow) that could allow remote code execution and information disclosure. The vulnerabilities are exploitable remotely with high privileges required. Vendor recommends upgrading to firmware version 1.34 or higher.

What this means

What could happen

An attacker with network access and high-level credentials could execute arbitrary commands on affected switches, potentially altering network traffic routing, disrupting communications between control systems and PLCs, or accessing sensitive configuration data from the device.

Who's at risk

Water utilities, power distribution facilities, and other critical infrastructure using Phoenix Contact FL SWITCH managed switches for network segmentation and industrial Ethernet communications between substations, water treatment plants, and distributed control systems. Any organization relying on these switches as a network backbone for OT communications should prioritize assessment.

How it could be exploited

An attacker on the network would need to authenticate with high-privilege credentials (e.g., admin account) to the switch management interface (typically port 80/443 or SSH port 22). Once authenticated, the attacker could inject commands or exploit buffer overflows in the firmware to achieve remote code execution on the switch.

Prerequisites

Network reachability to the switch management interface (HTTP/HTTPS or SSH)
High-privilege administrator or engineering credentials for the switch
Knowledge of the specific firmware version running on the target switch

remotely exploitablehigh-privilege credentials requiredaffects network infrastructure critical to process controlhigh CVSS score (9.1)

Exploitability

Moderate exploit probability (EPSS 3.4%)

Affected products (1)

ProductAffected VersionsFix Status

All FL SWITCH 3xxx 4xxx and 48xxx Series products running firmware:≥ 1.0 | ≤ 1.32No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to switch management interfaces (HTTP/HTTPS, SSH) to authorized engineering workstations only using firewall rules or access control lists. Block management port access from untrusted networks.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all affected FL SWITCH 3xxx, 4xxx, and 48xx series devices to firmware version 1.34 or higher. Download firmware updates from the Phoenix Contact product pages provided for each model.

Long-term hardening

0/2

HARDENINGIsolate control system networks containing these switches behind firewalls and separate from the business network. Ensure switches are not directly accessible from the Internet.

HARDENINGIf remote access to switches is required, route all management traffic through a secure VPN with current security patches. Audit VPN credentials and restrict access to named individuals.

CVEs (4)

CVE-2018-10730 CVE-2018-10729 CVE-2018-10728 CVE-2018-10731

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/79dbb7bb-6518-4c32-bbe2-d042225ded05