Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx, FL SWITCH TSN 23xx and FL SWITCH 59xx Firmware

Monitor7.2VDE-2025-104Mar 18, 2026

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in FL SWITCH 2xxx, FL SWITCH TSN 23xx, and FL SWITCH 59xx firmware versions prior to 3.53. CVE-2026-22317 allows remote code execution as root user on the device. Five additional vulnerabilities (CVE-2026-22316, CVE-2026-22318, CVE-2026-22319, CVE-2026-22320, CVE-2026-22321) enable denial of service attacks that can limit device functionality. CVE-2026-22322 is a reflected cross-site scripting vulnerability in the web management interface. CVE-2026-22323 is a cross-site request forgery vulnerability in web management. All vulnerabilities are resolved in firmware version 3.53.

What this means

What could happen

An attacker with administrative access could execute arbitrary commands as root on the switch, potentially altering network configuration, disrupting traffic flow to critical devices, or causing denial of service. Additional vulnerabilities allow attackers to crash the device or bypass authentication protections.

Who's at risk

Water authorities and electric utilities operating Phoenix Contact FL SWITCH network infrastructure—specifically FL SWITCH 2xxx series (compact managed switches), FL SWITCH TSN 23xx series (time-sensitive networking switches), and FL SWITCH 59xx series (high-performance switches). These switches are commonly used as core or edge devices in SCADA networks, RTU communications, and critical infrastructure networks where command execution could disrupt control system traffic or plant operations.

How it could be exploited

An attacker with valid administrative credentials can exploit a command injection flaw in the device's management interface to run arbitrary system commands with root privileges. The attacker could also trigger denial of service conditions by sending specially crafted network packets, or exploit web-based vulnerabilities (XSS, CSRF) to manipulate configuration through the web interface if an authorized user can be tricked into clicking a malicious link.

Prerequisites

Valid administrative credentials for the FL SWITCH management interface
Network access to the device's management port (typically port 80/443 for web interface or SSH port 22)
For some DoS vulnerabilities: ability to send network traffic to the device (no authentication required)

remotely exploitablelow complexityhigh administrative privileges required (limits immediate threat)denial of service capabilityno authentication required for some DoS attackscommand execution as root possible

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (154)

154 with fix

ProductAffected VersionsFix Status

FL SWITCH 2005< 3.53Fix available

FL SWITCH 20053.50Fix available

FL SWITCH 2008< 3.53Fix available

FL SWITCH 20083.50Fix available

FL SWITCH 2016< 3.53Fix available

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict administrative access to the management interface to trusted engineering workstations only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all FL SWITCH 2xxx, FL SWITCH TSN 23xx, and FL SWITCH 59xx devices to firmware version 3.53 or later

Long-term hardening

0/2

HARDENINGDisable or restrict access to the web-based management interface if not actively used; use SSH with key-based authentication only

HARDENINGImplement network segmentation to isolate these switches on a dedicated management VLAN with strict access controls

CVEs (8)

CVE-2026-22316 CVE-2026-22317 CVE-2026-22318 CVE-2026-22319 CVE-2026-22320 CVE-2026-22321 CVE-2026-22322 CVE-2026-22323

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b1f4e064-d17f-48d5-8b03-86c07972c714