Phoenix Contact: Two vulnerabilities in the jq JSON processor utilized by FL MGUARD 110x devices

Plan PatchCVSS 7.5VDE-2025-077Sep 9, 2025

Phoenix Contact

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The jq JSON processor used by FL MGUARD 110x devices to migrate firmware configurations contains two vulnerabilities: an integer overflow (CWE-190) and a buffer overflow (CWE-787). An authenticated attacker can exploit these flaws during configuration migration to cause a denial of service or potentially execute arbitrary code on the device.

What this means

What could happen

An attacker with valid credentials to a FL MGUARD 110x device could exploit vulnerabilities in the jq JSON processor during firmware configuration migration to cause a denial of service or potentially corrupt device configuration, disrupting network security appliance operations.

Who's at risk

Organizations using Phoenix Contact FL MGUARD 1102 or 1105 industrial firewall/security appliances should prioritize this update. These devices are commonly used to protect industrial networks and provide security filtering at network boundaries in manufacturing, water/wastewater, electrical, and other critical infrastructure environments.

How it could be exploited

An attacker with valid administrative or engineering credentials on the device would trigger the jq JSON processor during a firmware configuration migration. The attacker could craft a malicious JSON payload that exploits the integer overflow (CWE-190) or buffer overflow (CWE-787) to crash the processor or execute code on the device, which runs security and filtering functions for the network.

Prerequisites

Valid administrative credentials for the FL MGUARD device
Access to the configuration migration or firmware update interface
Ability to provide crafted JSON configuration input

remotely exploitableaffects boundary security devicedenial of service possiblehigh CVSS score

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

FL MGUARD 1102<1.8.11.8.1

FL MGUARD 1105<1.8.11.8.1

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict administrative access to FL MGUARD devices to authorized personnel only and use strong, unique credentials

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

FL MGUARD 1102

HOTFIXUpdate FL MGUARD 1102 devices to firmware version 1.8.1 or later

FL MGUARD 1105

HOTFIXUpdate FL MGUARD 1105 devices to firmware version 1.8.1 or later

Long-term hardening

0/1

HARDENINGReview and audit configuration migration activities on FL MGUARD devices to detect unauthorized attempts

CVEs (2)

CVE-2024-23337 CVE-2025-48060

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c377809c-073a-46fd-88dd-d93038835871

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.