Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx Firmware

Plan PatchCVSS 7.1VDE-2025-071Dec 9, 2025

Phoenix Contact

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Multiple vulnerabilities in FL SWITCH 2xxx and FL NAT devices before firmware version 3.50. Two vulnerabilities (CVE-2025-41692, CVE-2025-41696) allow file system access. Two vulnerabilities (CVE-2025-41693, CVE-2025-41694) cause denial of service affecting device functionality. One vulnerability (CVE-2025-41697) permits unauthenticated physical access to a login shell via an undocumented UART port. Additional vulnerabilities allow reflected cross-site scripting attacks in the web-based management interface. All issues are resolved in firmware version 3.50.

What this means

What could happen

An attacker could gain unauthorized access to the switch's file system and management interface, disrupt network operations through denial of service, or bypass authentication via an undocumented physical debug port. This directly impacts network availability and data integrity in your control environment.

Who's at risk

Manufacturing facilities, water treatment plants, electric utilities, and other industrial operations using Phoenix Contact FL SWITCH 2xxx series managed switches for network infrastructure. Any facility relying on these switches for network connectivity between control systems, PLCs, and remote I/O devices should prioritize patching.

How it could be exploited

A remote attacker with network access to the switch's management interface could exploit file system access vulnerabilities to read or modify configuration, or inject malicious input through the web UI to trigger cross-site scripting. A physical attacker with UART port access could connect to the undocumented debug port to obtain an unauthenticated shell. A remote attacker could also trigger denial of service by sending specially crafted network traffic.

Prerequisites

Network access to the switch's management interface (HTTP/HTTPS ports) for remote exploitation
Physical access to the switch's UART debug port for shell access
No authentication required for some file system access and UART vulnerabilities

remotely exploitableno authentication required for file system and shell accesslow complexitymultiple attack vectors (network, physical)affects network infrastructure supporting control systems

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (69)

69 with fix

ProductAffected VersionsFix Status

FL SWITCH 2005< 3.503.50

FL SWITCH 2008< 3.503.50

FL SWITCH 2016< 3.503.50

FL SWITCH 2105< 3.503.50

FL SWITCH 2108< 3.503.50

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the management interface (HTTP/HTTPS ports) to authorized engineering workstations and management networks only via firewall rules

HARDENINGDisable or physically secure access to UART/debug ports on all switches to prevent unauthorized local access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade firmware on all affected FL SWITCH 2xxx and FL NAT devices to version 3.50 or later

HARDENINGReview and audit any switch configuration files for unauthorized modifications during the period before patching

CVEs (14)

CVE-2025-41693 CVE-2025-41695 CVE-2025-41746 CVE-2025-41748 CVE-2025-41749 CVE-2025-41751 CVE-2025-41696 CVE-2025-41692 CVE-2025-41694 CVE-2025-41745 CVE-2025-41747 CVE-2025-41750 CVE-2025-41752 CVE-2025-41697

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f78be32d-eb28-4836-ae24-03602c156b77

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.