Full Report
[Control Systems] Phoenix Contact Security Advisory (AV26-378)
Analysis Summary
# Vulnerability: Multiple Phoenix Contact Products Affected by OpenSSL Flaws
## CVE Details
*Note: The advisory refers to vulnerabilities integrated within OpenSSL. While the specific sub-CVEs are listed in the underlying VDE-2026-023 report, they generally encompass:*
- **CVE ID:** CVE-2024-2511, CVE-2024-4741, and others associated with VDE-2026-023.
- **CVSS Score:** Range from 4.3 to 7.5 (Medium to High)
- **CWE:** CWE-401 (Memory Leak), CWE-416 (Use After Free), CWE-770 (Resource Exhaustion)
## Affected Systems
- **Products:** A wide range of industrial networking and control components including AXC, BCP, CATAN, CELLULINK, CHARX, CLOUD CLIENT, Energy AXC, FL MGUARD, FL NAT, FL SWITCH, FL TIMESERVER, FL WLAN, GTC, ILC, NFC, PLCnext Control, RFC, SMART RTU, TC CLOUD CLIENT, TC ROUTER, and TC TIMESERVER.
- **Versions:**
- CATAN C1 EN: Prior to 1.12.3
- CELLULINK: Prior to 2025.6.3
- CHARX SEC-3XXX: Prior to 1.9.0
- CLOUD CLIENT 101T-TX/TX: Prior to 3.7.8
- Energy AXC PU: Prior to V04.27.00.00
- FL MGUARD: Prior to 10.6.0
- FL TIMESERVER NTP / TC TIMESERVER: Prior to 5.0.71.101
- PLCnext Control: Prior to 3.53
- *Multiple versions* for other listed products (AXC, BCP, FL NAT, FL SWITCH, FL WLAN, GTC, ILC, NFC, RFC, SMART RTU).
- **Configurations:** Systems utilizing SSL/TLS for secure communication or management interfaces.
## Vulnerability Description
These products utilize the OpenSSL library for cryptographic functions. The identified vulnerabilities include flaws that can lead to memory exhaustion (Denial of Service) or potential remote code execution via specifically crafted packets during the TLS handshake or certificate processing. Common issues include unbounded memory growth and "use-after-free" conditions within the OpenSSL implementation.
## Exploitation
- **Status:** No report of exploitation in the wild for these specific industrial implementations.
- **Complexity:** Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Low to Medium (Potential for memory disclosure in specific instances)
- **Integrity:** Low to Medium
- **Availability:** High (Primary risk is Denial of Service of the control or networking component)
## Remediation
### Patches
Phoenix Contact recommends updating to the following versions or later:
- **CATAN C1 EN:** 1.12.3
- **CELLULINK:** 2025.6.3
- **CHARX SEC-3XXX:** 1.9.0
- **CLOUD CLIENT:** 3.7.8
- **Energy AXC PU:** V04.27.00.00
- **FL MGUARD:** 10.6.0
- **FL/TC TIMESERVER NTP:** 5.0.71.101
- **PLCnext Control:** 3.53
- For other products marked "Multiple versions," users should consult the Phoenix Contact PSIRT portal for specific firmware updates.
### Workarounds
- **Network Segmentation:** Place affected devices behind firewalls and isolate them from the public internet.
- **Disabling Unused Services:** Disable web-based management (HTTPS) or other SSL/TLS-reliant services if not strictly required for operation.
- **Access Control:** Restrict access to management interfaces to trusted IP addresses only.
## Detection
- **Indicators of compromise:** Unexpected reboots of the device, unresponsive management interfaces, or exhaustion of system memory.
- **Detection methods and tools:** Use network IDS/IPS signatures designed to detect OpenSSL-specific exploits (e.g., Snort/Suricata rules for TLS protocol anomalies).
## References
- Phoenix Contact PSIRT: hXXps[://]www[.]phoenixcontact[.]com/en-pc/service-and-support/psirt
- VDE-2026-023 Advisory: hXXps[://]assets[.]phoenixcontact[.]com/file/929de711-0bf5-461d-8560-b918341524cd/media/original?pcsa-2026-00001_vde-2026-023[.]pdf
- Canadian Centre for Cyber Security: hXXps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-phoenix-contact-security-advisory-av26-378