PHOENIX CONTACT improper access control exists on FL NAT devices when using MAC-based port security (Update A)

VDE-2019-020 (2019-10-29 12:56 UTC+0200)

CVE Identifier


Affected Vendors


Affected Products

Article Nr Model
2702882 FL NAT 2208
2702981 FL NAT 2304-2GC-2SFP

Vulnerability Type

Improper Access Control (CWE-284)


If MAC-based port security or 802.1x port security is enabled, the FL NAT 2xxx will unintentionally grant access to unauthorized devices in case of routed transmission.

Subnet 2---(Ports belonging to subnet 2)
            FL NAT 2xxx
           (Ports belonging to subnet 1, port sec ON)---- 2nd device
                                                      -- unauthorized device

The unauthorized device can access other devices in subnet 2 but cannot access the 2nd device in subnet 1


If port security is enabled on a port, a device not authorized by MAC based port security or 802.1x based port security can access another subnet via the FL NAT 2xxx device that is routing between the subnet the unauthorized device is residing in and the 2nd subnet.


Users should take care that network security is not relying solely on separating subnets with MAC or 802.1x based port security if the FL NAT 2xxx device is serving as a router between the subnets.

Update 2020-05-18: Firmware V2.90 is released and available for download.

Article no.


Affected Firmware

Current Firmware


FL NAT 2208

< 2.90



FL NAT 2304-2GC-2SFP

< 2.90


NOTE: If traps/logs/syslog for unauthorized access are enabled, notifications about the unauthorized access will be sent.

Reported by

PHOENIX CONTACT reported this vulnerability to CERT@VDE