VDE-2025-109
Last update
02/10/2026 09:00
Published at
02/10/2026 09:00
Vendor(s)
Phoenix Contact GmbH & Co. KG
External ID
VDE-2025-109
CSAF Document
Summary
The OpenSSL library used in the affected products is vulnerable to an unbounded growth of the session cache in the TLSv1.3 implementation.
Impact
A remote attacker can exhaust all the memory by establishing a large number of TLSv1.3 connections to the TCP encapsulation service, causing the device to reboot.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| OpenSSL 3.0.0 | OpenSSL 3.0.0 | |
| OpenSSL 3.0.13 | OpenSSL 3.0.13 | |
| 1357828 | FL MGUARD 2102 | Firmware 10.5.0 |
| 1357850 | FL MGUARD 2105 | Firmware 10.5.0 |
| 1441187 | FL MGUARD 4102 PCI | Firmware 10.5.0 |
| 1357842 | FL MGUARD 4102 PCIE | Firmware 10.5.0 |
| 1357840 | FL MGUARD 4302 | Firmware 10.5.0 |
| 1357875 | FL MGUARD 4305 | Firmware 10.5.0 |
Vulnerabilities
Expand / Collapse all
Published
02/10/2026 14:06
Severity
Weakness
Improperly Controlled Sequential Memory Allocation (CWE-1325)
References
Mitigation
It is recommended to disable TCP encapsulation on affected mGuard devices and use Pathfinder instead.
Remediation
Phoenix Contact strongly recommends upgrading affected mGuard devices to firmware version 10.6.0 or higher which fixes this vulnerability.
Acknowledgments
Phoenix Contact GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 02/10/2026 09:00 | Initial release. |