Summary

Access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.

Impact

Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles ('ATV profiles'). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections.

Affected Product(s)

Model no.	Product name	Affected versions
2981974	FL MGUARD DM 1.12.0	FL MGUARD DM 1.12.0
2981974	FL MGUARD DM 1.13.0	FL MGUARD DM 1.13.0

Vulnerabilities

Expand / Collapse all

Published

22.09.2025 14:58

Severity

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weakness

Improper Privilege Management (CWE-269)

References

cve.org | nvd.nist.gov

Mitigation

Stop the ApacheMDM Windows service.

Edit file /apache/conf/extra/httpd-mdm.conf and remove the instances of these lines for 'DocumentRoot' and alias '/atv':

Controls who can get stuff from this server.

Require all granted

refers to the directory in which FL MGUARD DM is installed.

Start the ApacheMDM Windows service.

Remediation

This vulnerability is fixed in FL MGUARD DM 1.13.0.1. We advise all affected FL MGUARD DM 1.12.0 and 1.13.0 users to upgrade to FL MGUARD DM 1.13.0.1 or a later version.
Additional recommendations:

Limit network access to the Apache web server to as few network addresses as possible.
If possible, make use of encrypted mGuard configuration profiles.

Revision History

Version	Date	Summary
1	11.08.2021 09:59	initial revision
2	10.02.2025 10:30	Update: Provider data has been corrected
3	22.05.2025 15:03	Fix: quotation mark

PHOENIX CONTACT: FL MGUARD DM version 1.12.0 and 1.13.0 Improper Privilege Management