Phoenix Contact: Several products are affected by vulnerabilities found in OpenSSL
Plan PatchCVSS 9.8VDE-2026-023Apr 22, 2026
Phoenix ContactEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
OpenSSL vulnerabilities (CWE-787 buffer overflow) affect numerous Phoenix Contact industrial devices used in energy infrastructure. An authenticated attacker with high privileges can upload malicious firmware or digitally signed objects to devices, leading to arbitrary code execution. The vulnerability requires an attacker to have valid engineering or administrator credentials and access to the device's management interface. Attacks involve uploading crafted files that exploit the underlying OpenSSL vulnerability during firmware installation or signature verification.
What this means
What could happen
An attacker with access to upload firmware or signed objects could execute arbitrary code on industrial gateways, routers, controllers, and network appliances, potentially disrupting communications, altering process control, or stopping facility operations.
Who's at risk
Energy sector operators using Phoenix Contact industrial controllers, gateways, routers, and network appliances. Specifically affected are CHARX security controllers, AXC F and GTC F industrial controllers, FL MGUARD firewalls and switches, FL WLAN access points, TC ROUTER mobile cellular routers, CELLULINK cellular modules, and legacy ILC and CATAN controllers used in substations, renewable installations, and facility automation systems.
How it could be exploited
An attacker must upload a malicious firmware file or digitally signed object to a device. This requires network access to the device's web interface or management port and valid high-privilege credentials (engineering or administrative account). Once uploaded, the malicious code executes with device privileges, giving the attacker full control.
Prerequisites
- Network access to the device's management interface (web UI or SSH)
- Valid high-privilege credentials (engineering workstation account or administrator login)
- Ability to upload files to the device
- Device firmware version below the patched release
remotely exploitable via management interfacerequires valid high-privilege credentialsno authentication required only after compromise of credentialsaffects industrial controllers and safety-related devicesno patch available for multiple product families (FL SWITCH, FL WLAN, ILC, CATAN, Energy AXC PU, SMART RTU)
Exploitability
Unlikely to be exploited — EPSS score 0.7%
Affected products (145)
44 with fix101 pending
ProductAffected VersionsFix Status
CHARX SEC-3150< 1.9.01.9.0
CHARX SEC-3100< 1.9.01.9.0
CHARX SEC-3050< 1.9.01.9.0
CHARX SEC-3000< 1.9.01.9.0
AXC F 1152< 2024.0.172024.0.17
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDVerify the SHA256 checksum of all firmware images before uploading to confirm they are from a trusted source and have not been tampered with
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
AXC F 1152
HOTFIXUpdate AXC F and GTC F series (AXC F 1152, AXC F 2152, GTC F 2172, AXC F 3152), RFC, NFC, and BPC devices to firmware version 2024.0.17 or later
AXC F 2000 EA
HOTFIXUpdate AXC F 2000 EA to firmware version 2026.0.0 or later
TC ROUTER 3002T-4G
HOTFIXUpdate TC ROUTER 3002T-4G and related models to firmware version 3.8.9 or later; update TC ROUTER 5004T-5G EU to firmware version 1.6.24 or later
All products
HOTFIXUpdate CHARX SEC series (SEC-3150, SEC-3100, SEC-3050, SEC-3000) to firmware version 1.9.0 or later
HOTFIXUpdate FL MGUARD series devices to firmware version 10.6.1 or later
HOTFIXUpdate CELLULINK 2401-4G and 4401-4G devices to firmware version 2025.6.3 or later
Long-term hardening
0/1HARDENINGRestrict management interface access to authorized engineering and administrative users only; disable remote management if not required
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3086a261-a692-4f3f-ade7-807cbf80a40bGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.