Phoenix Contact: Security Advisory for AXL F BK and IL BK bus couplers
Plan PatchCVSS 7.5VDE-2025-029May 13, 2025
Phoenix Contact
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Phoenix Contact AXL F and IL bus couplers are vulnerable to a denial of service attack targeting port 80 (HTTP service). The vulnerability is a resource exhaustion issue (CWE-770) that can overload the device and degrade or halt network communications. The issue has been observed when network security scanners or tools probe port 80 on these devices. Some models have received firmware fixes (FW2.00 for AXL F BK PN variants, FW1.32 for AXL F BK ETH variants), while others are end-of-life with no planned fixes.
What this means
What could happen
An attacker or misconfigured security scanner that sends multiple requests to port 80 can overwhelm the coupler's HTTP service, causing it to become unresponsive and potentially disconnecting industrial devices from the network, disrupting process communications and control.
Who's at risk
Water and electric utilities operating Phoenix Contact bus couplers for Ethernet, PROFINET, EtherIP, and serial communication should evaluate their deployed models. AXL F BK and IL BK series devices that act as fieldbus-to-Ethernet gateways or IO couplers in SCADA systems, RTU networks, and distributed control architectures are affected. Organizations running automated network security scanners on closed production networks may trigger this vulnerability inadvertently.
How it could be exploited
An attacker with network access to port 80 on a bus coupler can send a high volume of HTTP requests to exhaust device resources. Network security scanners running DoS tests against port 80 can trigger this condition without intentional malice, causing the coupler to stop responding to legitimate traffic.
Prerequisites
- Network access to port 80 (HTTP) on the bus coupler
- No authentication required—the HTTP service is accessible without credentials
- Attacker or scanner must be on the same network segment as the coupler or able to reach port 80 from the IT network
Remotely exploitableNo authentication requiredLow complexity attack (high volume requests)Affects network-attached industrial devicesSeveral models have no fix planned (end-of-life)Can be triggered inadvertently by security scanning tools
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (14)
4 with fix10 EOL
ProductAffected VersionsFix Status
AXL F BK PN TPS≤ FW1.33FW2.00
AXL F BK PN TPS XC≤ FW1.33FW2.00
AXL F BK ETH≤ FW1.31FW1.32
AXL F BK ETH XC≤ FW1.33FW1.32
AXL F BK SAS≤ FW1.35No fix (EOL)
AXL F BK EIP≤ FW1.30No fix (EOL)
AXL F BK EIP EF≤ FW1.30No fix (EOL)
IL PN BK-PAC≤ FW1.13No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HARDENINGIsolate all bus couplers (especially end-of-life models without fixes) in a closed industrial network segment with no direct access from IT networks or external connections
WORKAROUNDDeploy a firewall rule to block or restrict access to port 80 on bus couplers from untrusted networks; allow only authorized engineering workstations and control systems
WORKAROUNDIf network security scanning is required, configure scanners to exclude port 80 DoS tests or disable denial of service test categories for device types matching these couplers
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
AXL F BK PN TPS
HOTFIXUpdate AXL F BK PN TPS and AXL F BK PN TPS XC to firmware version FW2.00 or later
AXL F BK ETH
HOTFIXUpdate AXL F BK ETH, AXL F BK ETH XC to firmware version FW1.32 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7fe3c20c-6e74-4d39-b1a8-93a45de94003Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.