Phoenix Contact: Unbounded growth of the session cache in TCP encapsulation service in FL MGUARD 2xxx and 4xxx firmware

MonitorCVSS 5.9VDE-2025-109Feb 10, 2026

Phoenix Contact

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The OpenSSL library in FL MGUARD 2102, 2105, 4302, 4305, 4102 PCIE, and 4102 PCI firmware (version 10.5.0) contains a vulnerability in the TLSv1.3 implementation that causes unbounded growth of the session cache in the TCP encapsulation service. This memory leak can eventually exhaust device memory, rendering the firewall unresponsive and disrupting network traffic to connected OT devices. The issue is present in OpenSSL 3.0.0 and later versions used by these products. Phoenix Contact has released firmware version 10.6.0 to address this issue and recommends using Pathfinder as an alternative to TCP encapsulation.

What this means

What could happen

An attacker with network access could trigger unbounded memory growth in the TLSv1.3 session cache on FL MGUARD industrial firewalls, potentially causing device memory exhaustion and denial of service, interrupting network connectivity to controlled equipment.

Who's at risk

Water utilities and municipal electric utilities that use Phoenix Contact FL MGUARD 2xxx or 4xxx industrial firewalls for network edge protection and encryption of remote access to SCADA systems, PLCs, or RTUs are affected. The vulnerability impacts both inline gateway models (2102, 2105, 4302, 4305) and PCI-based models (4102 PCIE, 4102 PCI).

How it could be exploited

An attacker sends specially crafted TLSv1.3 handshakes to the TCP encapsulation service on the affected mGuard device. Each malicious session exhausts memory without being properly cleaned up, eventually consuming all available RAM on the device. Once memory is exhausted, the device becomes unresponsive and must be rebooted to restore operations.

Prerequisites

Network access to the TCP encapsulation service port on the mGuard device
TCP encapsulation feature enabled on the target mGuard device
No authentication required

Remotely exploitableNo authentication requiredMedium CVSS score (5.9)Denial of service potentialAffects industrial network security boundary device

Exploitability

Some exploitation risk — EPSS score 4.2%

Affected products (8)

6 with fix2 EOL

ProductAffected VersionsFix Status

FL MGUARD 210210.5.010.6.0

FL MGUARD 210510.5.010.6.0

FL MGUARD 430210.5.010.6.0

FL MGUARD 430510.5.010.6.0

FL MGUARD 4102 PCIE10.5.010.6.0

FL MGUARD 4102 PCI10.5.010.6.0

OpenSSL 3.0.03.0.0No fix (EOL)

OpenSSL 3.0.133.0.13No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDDisable TCP encapsulation on affected mGuard devices if possible; use Pathfinder instead

HARDENINGRestrict network access to the TCP encapsulation service port to only trusted engineering networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FL MGUARD firmware to version 10.6.0 or higher

CVEs (1)

CVE-2024-2511

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2042bebf-9c6e-4b57-90bd-4ac6c256a9be

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.