PHOENIX CONTACT: mGuard products missing initialization of resource

LAN ports of Phoenix Contact mGuard products get functional after reboot even if they are disabled in the device configuration

VDE-2020-046 (2020-12-17 11:00 UTC+0200)

CVE Identifier


Affected Vendors

Phoenix Contact, Innominate

Affected Products

Article no Article Affected versions Fixed version
1010461 TC MGUARD RS4000 4G VZW VPN < 8.8.3 Download
1010463 TC MGUARD RS4000 4G ATT VPN < 8.8.3 Download
2701876 FL MGUARD RS4004 TX/DTX < 8.8.3 Download
2701877 FL MGUARD RS4004 TX/DTX VPN < 8.8.3 Download
2903440 TC MGUARD RS4000 3G VPN < 8.8.3 Download
2903586 TC MGUARD RS4000 4G VPN < 8.8.3 Download
Innominate mGuard rs4000 4TX/TX < 8.8.3 Download
Innominate mGuard rs4000 4TX/TX VPN < 8.8.3 Download
Innominate mGuard rs4000 4TX/3G/TX VPN < < 8.8.3 Download


For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource (CWE-909).


After a reboot, affected mGuard devices may unexpectedly receive or send data on disabled switch ports. This includes the unexpected provision of administrative interfaces. Attackers may try to access confidential data or compromise the availability of mGuard services by flooding or resource exhaustion.


Temporary Fix / Mitigation

Instead of deactivating by configuration, network cables should be detached from affected switch


PHOENIX CONTACT recommends all mGuard users to upgrade to the firmware version 8.8.3.

Reported by

This vulnerability was discovered by SMST Designers & Constructors B.V.