OTPulse
FeedAboutContact

Phoenix Contact: Unbounded growth of the session cache in TCP encapsulation service in FL MGUARD 2xxx and 4xxx firmware

Monitor5.9VDE-2025-109Feb 10, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

The OpenSSL library in affected Phoenix Contact mGuard devices contains a vulnerability in the TLSv1.3 implementation that allows unbounded growth of the session cache. An attacker could cause the cache to grow without limit by establishing multiple TLS sessions, consuming device memory until the firewall becomes unresponsive or fails. This affects FL MGUARD 2102, 2105, 4302, 4305, 4102 PCIE, and 4102 PCI models running firmware version 10.5.0.

What this means
What could happen
An attacker could cause unbounded memory consumption on your mGuard firewall/gateway by exploiting a flaw in the TLSv1.3 session cache, leading to device slowdown or potential denial of service if available memory is exhausted.
Who's at risk
Organizations operating Phoenix Contact FL MGUARD 2xxx and 4xxx series industrial firewalls/gateways, particularly those used for remote management, VPN termination, or network segmentation in manufacturing, utilities, and critical infrastructure environments. This affects any facility relying on these devices for OT network protection and remote access.
How it could be exploited
An attacker with network access to the mGuard's TCP encapsulation service (TLS port) could send specially crafted TLSv1.3 session establishment requests that accumulate in the session cache without proper cleanup. Repeated connections cause memory to grow unbounded until the device becomes resource-constrained and unresponsive.
Prerequisites
  • Network access to the mGuard device's TCP encapsulation service (typically port 443 or configured TLS port)
  • TLSv1.3 protocol support enabled on the affected mGuard firmware version
remotely exploitablelow complexityno authentication requiredaffects network availabilityaffects safety-critical infrastructure
Exploitability
Moderate exploit probability (EPSS 4.5%)
Affected products (8)
6 with fix2 EOL
ProductAffected VersionsFix Status
FL MGUARD 210210.5.010.6.0
FL MGUARD 210510.5.010.6.0
FL MGUARD 430210.5.010.6.0
FL MGUARD 430510.5.010.6.0
FL MGUARD 4102 PCIE10.5.010.6.0
FL MGUARD 4102 PCI10.5.010.6.0
OpenSSL 3.0.03.0.0No fix (EOL)
OpenSSL 3.0.133.0.13No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDDisable TCP encapsulation on affected mGuard devices if not actively required for remote management or VPN operations
HARDENINGIf TCP encapsulation must remain enabled pending firmware update, restrict network access to the TLS port to only trusted management networks using firewall rules
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

FL MGUARD 2102
HOTFIXUpdate FL MGUARD 2102, 2105, 4302, 4305, 4102 PCIE, or 4102 PCI firmware to version 10.6.0 or higher
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: OpenSSL 3.0.0, OpenSSL 3.0.13. Apply the following compensating controls:
HARDENINGTransition to Pathfinder for remote device management instead of TCP encapsulation
View full CERT@VDE advisory
API: /api/v1/advisories/2042bebf-9c6e-4b57-90bd-4ac6c256a9be
Phoenix Contact: Unbounded growth of the session cache in TCP encapsulation service in FL MGUARD 2xxx and 4xxx firmware | CVSS 5.9 - OTPulse