Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx, FL SWITCH TSN 23xx and FL SWITCH 59xx Firmware

MonitorCVSS 7.2VDE-2025-104Mar 18, 2026

Phoenix Contact

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in FL SWITCH 2xxx, FL SWITCH TSN 23xx and FL SWITCH 59xx firmware versions prior to 3.53. CVE-2026-22317 allows remote command execution as root with high privileges. CVE-2026-22316, CVE-2026-22318, CVE-2026-22319, CVE-2026-22320, and CVE-2026-22321 enable denial-of-service attacks that limit device functionality. CVE-2026-22322 and CVE-2026-22323 are reflected cross-site scripting and cross-site request forgery vulnerabilities in the web-based management interface. All vulnerabilities have been resolved in firmware version 3.53.

What this means

What could happen

An attacker with administrative credentials could execute arbitrary commands as root on industrial network switches, potentially disrupting plant communications, data logging, and factory automation. Alternatively, an unauthenticated attacker could launch denial-of-service attacks or inject malicious scripts into the device's web interface to compromise network availability or manipulate switch configuration.

Who's at risk

Industrial network switch operators and system integrators managing Phoenix Contact FL SWITCH equipment in manufacturing plants, water utilities, power distribution systems, and other critical infrastructure. This affects dozens of switch models across multiple product lines used to connect PLCs, RTUs, HMIs, and other control devices.

How it could be exploited

An attacker with administrative access can exploit CVE-2026-22317 to execute system commands with root privileges on the switch. For DoS and web-based vulnerabilities (CVE-2026-22316/22318/22319/22320/22321/22322/22323), the attacker can send crafted network requests or manipulate the web interface without authentication to degrade device functionality or inject malicious content into the management interface.

Prerequisites

Administrative credentials to the device (for command execution vulnerability)
Network access to the device management interface (web UI or CLI)
For DoS attacks: network reachability to the switch

remotely exploitablelow complexityhigh CVSS score (7.2)command execution as rootdenial of serviceweb interface vulnerabilitiesaffects industrial network infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (154)

154 with fix

ProductAffected VersionsFix Status

FL SWITCH 2005< 3.53Fix available

FL SWITCH 20053.50Fix available

FL SWITCH 2008< 3.53Fix available

FL SWITCH 20083.50Fix available

FL SWITCH 2016< 3.53Fix available

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the device management interface (web UI and CLI ports) to authorized engineering workstations and management systems only using firewall rules or access control lists

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware on all affected FL SWITCH 2xxx, FL SWITCH TSN 23xx, and FL SWITCH 59xx devices to version 3.53 or later

Long-term hardening

0/2

HARDENINGDisable or protect the web-based management interface if not actively required, or enforce strong authentication if enabled

HARDENINGImplement network segmentation to isolate industrial network switches from untrusted networks and require VPN or jump-host access for remote management

CVEs (8)

CVE-2026-22316 CVE-2026-22318 CVE-2026-22320 CVE-2026-22322 CVE-2026-22317 CVE-2026-22319 CVE-2026-22321 CVE-2026-22323

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b1f4e064-d17f-48d5-8b03-86c07972c714

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.