PHOENIX CONTACT : Security Advisory for FL SWITCH SMCS series

Multiple vulnerabilities have been discovered in the current firmware of the PHOENIX CONTACT FL SWITCH SMCS series switches.

VDE-2021-023 (2021-06-23 14:14 UTC+0200)

Affected Vendors

Phoenix Contact

Affected Products

Product number Product name Firmware version
2700996 FL SWITCH SMCS 16TX <= 4.70
2700997 FL SWITCH SMCS 14TX/2FX <= 4.70
2701466 FL SWITCH SMCS 14TX/2FX-SM <= 4.70
2891123 FL SWITCH SMCS 8GT <= 4.70
2891479 FL SWITCH SMCS 6GT/2SFP <= 4.70
2989103 FL SWITCH SMCS 8TX-PN <= 4.70
2989093 FL SWITCH SMCS 4TX-PN <= 4.70
2989226 FL SWITCH SMCS 8TX <= 4.70
2989323 FL SWITCH SMCS 6TX/2SFP <= 4.70
2700290 FL SWITCH SMN 6TX/2POF-PN <= 4.70
2989501 FL SWITCH SMN 8TX-PN <= 4.70
2989543 FL SWITCH SMN 6TX/2FX <= 4.70
2989556 FL SWITCH SMN 6TX/2FX SM <= 4.70
2989365 FL NAT SMN 8TX <= 4.63
2702443 FL NAT SMN 8TX-M <= 4.63


CVE-ID: CVE-2021- 20003
Description: Fragmented TCP-Packets may cause a Denial of Service of Web-, SNMP-, and ICMP Echo- service. The switching functionality of the device is not affected.

CVE-ID: CVE-2021- 20004
Description: An attacker may insert malicious code via LLDP frames into the web-based management which could then be executed by the client.

CVE-ID: CVE-2021- 20005
Description: If an attacker sends a hand-crafted TCP-Packet with the Urgent-Flag set and the Urgent-Pointer set to 0, the network stack will crash. The device needs to be rebooted afterwards.


An attacker may use the vulnerabilities described above to provoke a denial of service to defeat certain management functions of the device or use the XSS vulnerability to attack the client PC.


Temporary Fix / Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection

Reported by

These vulnerabilities have been discovered and reported by Anne Borcherding, Fraunhofer- Institut für Optronik, Systemtechnik und Bildauswertung IOSB.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.