PHOENIX CONTACT: Security Advisory for AXL F BK and IL BK products
Act Now9.8VDE-2021-021Jun 23, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
An undocumented, hardcoded FTP credential provides unauthenticated root filesystem access to certain AXL F BK and IL BK devices. Phoenix Contact has released firmware patches for seven variants of the AXL F BK product family but has not addressed the vulnerability in the AXL F BK EIP (older hardware), ETH NET2, PN, PN XC, SAS, and all IL BK remote I/O product variants. The vendor recommends operating these devices in closed networks protected by a firewall. For patched devices, the firmware update disables the undocumented FTP service.
What this means
What could happen
An attacker with network access could use a hardcoded FTP credential to connect to affected devices and read or modify files in the root directory, potentially altering control logic, configuration, or stealing operational data. Compromised devices could be reconfigured or have their firmware replaced, leading to loss of process control or availability.
Who's at risk
Water utilities and municipal electric authorities operating Phoenix Contact AXL F BK gateway/control units (EIP, ETH, PN, S3 variants) and IL BK remote I/O modules should care about this. These devices are often deployed in substation automation, process control, and real-time networked systems. Models with no available patch are at permanent risk.
How it could be exploited
An attacker on the network sends FTP connection requests to port 21 on an affected device. The device accepts the undocumented credential and grants full access to the root filesystem. The attacker can then download or upload files to modify device behavior or extract sensitive configuration and process data.
Prerequisites
- Network reachability to the affected device on port 21 (FTP)
- Knowledge of the undocumented FTP credential (hardcoded in the device)
- No authentication bypass required beyond the hardcoded password
remotely exploitableno authentication required (hardcoded credential)low complexityaffects control system fieldbus gatewaysno patch available for majority of IL BK product lineno patch available for several AXL F BK variants
Affected products (18)
7 with fix11 EOL
ProductAffected VersionsFix Status
AXL F BK EIP EF (HW < 01)<1.30FW1.30, HW 05
AXL F BK ETH (HW < 05)FW1.30, HW 01FW1.30, HW 05
AXL F BK ETH XC (HW < 05)<1.30FW1.30, HW 05
AXL F BK PN TPS (HW < 02)<1.30FW1.30, HW 02
AXL F BK PN TPS XC (HW < 01)<1.30FW1.30, HW 01
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDFor devices with no firmware fix available (AXL F BK EIP, ETH NET2, PN, PN XC, SAS and all IL BK variants), restrict FTP access by implementing a firewall rule to block inbound port 21 traffic from untrusted networks.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate affected AXL F BK devices (EIP, EIP EF, ETH, ETH XC, PN TPS, PN TPS XC, S3) to the latest available firmware versions as specified in the advisory.
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: AXL F BK EIP (HW < 05), AXL F BK PN, AXL F BK SAS, IL EIP BK DI8 DO4 2TX-PAC, IL ETH BK DI8 DO4 2TX-PAC, IL ETH BK DI8 DO4 2TX-XC-PAC, IL PN BK DI8 DO4 2SCRJ-PAC, IL PN BK DI8 DO4 2TX-PAC, IL PN BK-PAC, IL S3 BK DI8 DO4 2TX-PAC, AXL F BK PN XC. Apply the following compensating controls:
HARDENINGSegment network-capable Phoenix Contact devices into a separate management VLAN or air-gapped network to prevent lateral movement if a device is compromised.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/89b04b7c-a22f-4970-a8df-e42796ba5d54