Summary
Attacks are possible when installing key files and digitally signed objects. These attacks can only be carried out if these files are uploaded and installed by a logged-in user with high privileges.
Impact
A successful attack using manipulated firmware or key files (PKCS#12) can lead to the execution of malicious code. This can jeopardize confidentiality, integrity and availability.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| OpenSSL | 3.0.0, 3.0.18 | |
| 1151412 | AXC F 1152 | Firmware <2024.0.17 |
| 1551772 | AXC F 2000 EA | Firmware <2026.0.0 |
| 2404267 | AXC F 2152 | Firmware <2024.0.17 |
| 1069208 | AXC F 3152 | Firmware <2024.0.17 |
| 1246285 | BPC 9102S | Firmware <2024.0.17 |
| 1371432 | CATAN C1 EN | Firmware <1.12.3, Firmware 1.12.3 |
| 1503433 | CELLULINK 2401-4G EU M25 | Firmware <2025.6.3 |
| 1503487 | CELLULINK 2401-4G EU M40 | Firmware <2025.6.3 |
| 1637527 | CELLULINK 4401-4G GL M25 | Firmware <2025.6.3 |
| 1637627 | CELLULINK 4401-4G GL M40 | Firmware <2025.6.3 |
| 1139022 | CHARX SEC-3000 | Firmware <1.9.0 |
| 1139018 | CHARX SEC-3050 | Firmware <1.9.0 |
| 1139012 | CHARX SEC-3100 | Firmware <1.9.0 |
| 1138965 | CHARX SEC-3150 | Firmware <1.9.0 |
| 1221706 | CLOUD CLIENT 1101T-TX/TX | Firmware <3.7.8 |
| 1264327 | Energy AXC PU | Firmware <V04.27.00.00, Firmware V04.27.00.00 |
| 1357828 | FL MGUARD 2102 | Firmware <10.6.1 |
| 1357850 | FL MGUARD 2105 | Firmware <10.6.1 |
| 1441187 | FL MGUARD 4102 PCI | Firmware <10.6.1 |
| 1488314 | FL MGUARD 4102 PCI/K2 | Firmware <10.6.1 |
| 1357842 | FL MGUARD 4102 PCIE | Firmware <10.6.1 |
| 1427378 | FL MGUARD 4102 PCIE/K2 | Firmware <10.6.1 |
| 1357840 | FL MGUARD 4302 | Firmware <10.6.1 |
| 1488318 | FL MGUARD 4302/K1 | Firmware <10.6.1 |
| 1427379 | FL MGUARD 4302/K2 | Firmware <10.6.1 |
| 1488325 | FL MGUARD 4302/K3 | Firmware <10.6.1 |
| 1488326 | FL MGUARD 4302/K4 | Firmware <10.6.1 |
| 1696708 | FL MGUARD 4302/KX | Firmware <10.6.1 |
| 1357875 | FL MGUARD 4305 | Firmware <10.6.1 |
| 1696779 | FL MGUARD 4305/KX | Firmware <10.6.1 |
| 2702881 | FL NAT 2008 | Firmware <3.57, Firmware 3.57 |
| 2702882 | FL NAT 2208 | Firmware 3.57, Firmware <3.57 |
| 2702981 | FL NAT 2304-2GC-2SFP | Firmware <3.57, Firmware 3.57 |
| 2702323 | FL SWITCH 2005 | Firmware 3.57, Firmware <3.57 |
| 2702324 | FL SWITCH 2008 | Firmware 3.57, Firmware <3.57 |
| 1106707 | FL SWITCH 2008F | Firmware <3.57, Firmware 3.57 |
| 2702903 | FL SWITCH 2016 | Firmware <3.57, Firmware 3.57 |
| 2702665 | FL SWITCH 2105 | Firmware <3.57, Firmware 3.57 |
| 2702666 | FL SWITCH 2108 | Firmware 3.57, Firmware <3.57 |
| 2702908 | FL SWITCH 2116 | Firmware <3.57, Firmware 3.57 |
| 2702334 | FL SWITCH 2204-2TC-2SFX | Firmware 3.57, Firmware <3.57 |
| 2702326 | FL SWITCH 2205 | Firmware 3.57, Firmware <3.57 |
| 2702330 | FL SWITCH 2206-2FX | Firmware 3.57, Firmware <3.57 |
| 2702331 | FL SWITCH 2206-2FX SM | Firmware <3.57, Firmware 3.57 |
| 2702333 | FL SWITCH 2206-2FX SM ST | Firmware 3.57, Firmware <3.57 |
| 2702332 | FL SWITCH 2206-2FX ST | Firmware 3.57, Firmware <3.57 |
| 2702969 | FL SWITCH 2206-2SFX | Firmware 3.57, Firmware <3.57 |
| 1044028 | FL SWITCH 2206-2SFX PN | Firmware 3.57, Firmware <3.57 |
| 1095628 | FL SWITCH 2206C-2FX | Firmware <3.57, Firmware 3.57 |
| 2702328 | FL SWITCH 2207-FX | Firmware <3.57, Firmware 3.57 |
| 2702329 | FL SWITCH 2207-FX SM | Firmware 3.57, Firmware <3.57 |
| 2702327 | FL SWITCH 2208 | Firmware 3.57, Firmware <3.57 |
| 1044024 | FL SWITCH 2208 PN | Firmware 3.57, Firmware <3.57 |
| 1095627 | FL SWITCH 2208C | Firmware 3.57, Firmware <3.57 |
| 2702907 | FL SWITCH 2212-2TC-2SFX | Firmware <3.57, Firmware 3.57 |
| 2702905 | FL SWITCH 2214-2FX | Firmware <3.57, Firmware 3.57 |
| 2702906 | FL SWITCH 2214-2FX SM | Firmware <3.57, Firmware 3.57 |
| 1006188 | FL SWITCH 2214-2SFX | Firmware <3.57, Firmware 3.57 |
| 1044030 | FL SWITCH 2214-2SFX PN | Firmware 3.57, Firmware <3.57 |
| 2702904 | FL SWITCH 2216 | Firmware 3.57, Firmware <3.57 |
| 1044029 | FL SWITCH 2216 PN | Firmware 3.57, Firmware <3.57 |
| 1278397 | FL SWITCH 2303-8SP1 | Firmware <3.57, Firmware 3.57 |
| 2702653 | FL SWITCH 2304-2GC-2SFP | Firmware 3.57, Firmware <3.57 |
| 2702970 | FL SWITCH 2306-2SFP | Firmware 3.57, Firmware <3.57 |
| 1009222 | FL SWITCH 2306-2SFP PN | Firmware 3.57, Firmware <3.57 |
| 2702652 | FL SWITCH 2308 | Firmware 3.57, Firmware <3.57 |
| 1009220 | FL SWITCH 2308 PN | Firmware 3.57, Firmware <3.57 |
| 2702910 | FL SWITCH 2312-2GC-2SFP | Firmware 3.57, Firmware <3.57 |
| 1006191 | FL SWITCH 2314-2SFP | Firmware <3.57, Firmware 3.57 |
| 1031683 | FL SWITCH 2314-2SFP PN | Firmware 3.57, Firmware <3.57 |
| 2702909 | FL SWITCH 2316 | Firmware 3.57, Firmware <3.57 |
| 1031673 | FL SWITCH 2316 PN | Firmware 3.57, Firmware <3.57 |
| 1184084 | FL SWITCH 2316/K1 | Firmware 3.57, Firmware <3.57 |
| 1088853 | FL SWITCH 2404-2TC-2SFX | Firmware 3.57, Firmware <3.57 |
| 1043414 | FL SWITCH 2406-2SFX | Firmware 3.57, Firmware <3.57 |
| 1089126 | FL SWITCH 2406-2SFX PN | Firmware <3.57, Firmware 3.57 |
| 1043412 | FL SWITCH 2408 | Firmware 3.57, Firmware <3.57 |
| 1089133 | FL SWITCH 2408 PN | Firmware <3.57, Firmware 3.57 |
| 1088875 | FL SWITCH 2412-2TC-2SFX | Firmware 3.57, Firmware <3.57 |
| 1043423 | FL SWITCH 2414-2SFX | Firmware 3.57, Firmware <3.57 |
| 1089139 | FL SWITCH 2414-2SFX PN | Firmware <3.57, Firmware 3.57 |
| 1043416 | FL SWITCH 2416 | Firmware <3.57, Firmware 3.57 |
| 1089150 | FL SWITCH 2416 PN | Firmware <3.57, Firmware 3.57 |
| 1088872 | FL SWITCH 2504-2GC-2SFP | Firmware <3.57, Firmware 3.57 |
| 1043491 | FL SWITCH 2506-2SFP | Firmware <3.57, Firmware 3.57 |
| 1089135 | FL SWITCH 2506-2SFP PN | Firmware 3.57, Firmware <3.57 |
| 1215329 | FL SWITCH 2506-2SFP/K1 | Firmware <3.57, Firmware 3.57 |
| 1043484 | FL SWITCH 2508 | Firmware 3.57, Firmware <3.57 |
| 1089134 | FL SWITCH 2508 PN | Firmware <3.57, Firmware 3.57 |
| 1215350 | FL SWITCH 2508/K1 | Firmware <3.57, Firmware 3.57 |
| 1088856 | FL SWITCH 2512-2GC-2SFP | Firmware 3.57, Firmware <3.57 |
| 1043499 | FL SWITCH 2514-2SFP | Firmware 3.57, Firmware <3.57 |
| 1089154 | FL SWITCH 2514-2SFP PN | Firmware 3.57, Firmware <3.57 |
| 1043496 | FL SWITCH 2516 | Firmware 3.57, Firmware <3.57 |
| 1089205 | FL SWITCH 2516 PN | Firmware 3.57, Firmware <3.57 |
| 1106500 | FL SWITCH 2608 | Firmware 3.57, Firmware <3.57 |
| 1106616 | FL SWITCH 2608 PN | Firmware 3.57, Firmware <3.57 |
| 1106615 | FL SWITCH 2708 | Firmware 3.57, Firmware <3.57 |
| 1106610 | FL SWITCH 2708 PN | Firmware <3.57, Firmware 3.57 |
| 1525942 | FL SWITCH 5916-8GC-4SFP+ | Firmware 3.57, Firmware <3.57 |
| 1525943 | FL SWITCH 5916SFP-8GC-4SFP+ | Firmware <3.57, Firmware 3.57 |
| 1525945 | FL SWITCH 5924-4GC | Firmware <3.57, Firmware 3.57 |
| 1525939 | FL SWITCH 5924-4SFP+ | Firmware 3.57, Firmware <3.57 |
| 1525944 | FL SWITCH 5924SFP-4GC | Firmware 3.57, Firmware <3.57 |
| 1232305 | FL SWITCH TSN 2312-2GC-2SFP | Firmware 3.57, Firmware <3.57 |
| 1232302 | FL SWITCH TSN 2314-2SFP | Firmware <3.57, Firmware 3.57 |
| 1232304 | FL SWITCH TSN 2316 | Firmware 3.57, Firmware <3.57 |
| 1107132 | FL TIMESERVER NTP | Firmware <5.0.71.101, Firmware 5.0.71.101 |
| 2702992 | FL WLAN 1020 | Firmware 26.06.00, Firmware <26.06.00 |
| 2702993 | FL WLAN 1021 | Firmware 26.06.00, Firmware <26.06.00 |
| 1752493 | FL WLAN 1022 | Firmware <26.06.00, Firmware 26.06.00 |
| 1386091 | FL WLAN 1120 | Firmware 26.06.00, Firmware <26.06.00 |
| 1386092 | FL WLAN 1121 | Firmware 26.06.00, Firmware <26.06.00 |
| 1752496 | FL WLAN 1122 | Firmware 26.06.00, Firmware <26.06.00 |
| 1360275 | FL WLAN 2330 | Firmware 26.06.00, Firmware <26.06.00 |
| 1360276 | FL WLAN 2331 | Firmware 26.06.00, Firmware <26.06.00 |
| 1510147 | FL WLAN 2340 | Firmware <26.06.00, Firmware 26.06.00 |
| 1510249 | FL WLAN 2341 | Firmware 26.06.00, Firmware <26.06.00 |
| 1079808 | GTC F 2172 | Firmware <2024.0.17 |
| 2403160 | ILC 2050 BI | Firmware <1.12.4, Firmware 1.12.4 |
| 2404671 | ILC 2050 BI-L | Firmware <1.12.3, Firmware 1.12.4 |
| 1541303 | ILC 2250 BI | Firmware 1.12.3, Firmware <1.12.3 |
| 1535543 | ILC 2250 BI-L | Firmware 1.12.3, Firmware <1.12.3 |
| 1050841 | NFC 482S | Firmware <2024.0.17 |
| 1136419 | RFC 4072R | Firmware <2024.0.17 |
| 1051328 | RFC 4072S | Firmware <2024.0.17 |
| 1264328 | SMART RTU AXC IG | Firmware <V01.04.00.00, Firmware V01.04.00.00 |
| 1110435 | SMART RTU AXC SG | Firmware <V01.11.00.00, Firmware V01.11.00.00 |
| 2702886 | TC CLOUD CLIENT 1002-4G | Firmware <3.8.9 |
| 2702888 | TC CLOUD CLIENT 1002-4G ATT | Firmware <3.8.9 |
| 2702887 | TC CLOUD CLIENT 1002-4G VZW | Firmware <3.8.9 |
| 2702885 | TC CLOUD CLIENT 1002-TX/TX | Firmware <3.7.8 |
| 2702531 | TC ROUTER 2002T-3G | Firmware <3.8.9 |
| 2702530 | TC ROUTER 2002T-4G | Firmware <3.8.9 |
| 2702529 | TC ROUTER 3002T-3G | Firmware <3.8.9 |
| 2702528 | TC ROUTER 3002T-4G | Firmware <3.8.9 |
| 2702533 | TC ROUTER 3002T-4G ATT | Firmware <3.8.9 |
| 1632697 | TC ROUTER 3002T-4G GL | Firmware <3.8.9 |
| 2702532 | TC ROUTER 3002T-4G VZW | Firmware <3.8.9 |
| 1234352 | TC ROUTER 4002T-4G EU | Firmware <5.0.72.102, Firmware 5.0.72.102 |
| 1234353 | TC ROUTER 4102T-4G EU WLAN | Firmware 5.0.72.102, Firmware <5.0.72.102 |
| 1234354 | TC ROUTER 4202T-4G EU WLAN | Firmware 5.0.72.102, Firmware <5.0.72.102 |
| 1439475 | TC ROUTER 5004T-5G EU | Firmware <1.6.24 |
Vulnerabilities
Expand / Collapse allIssue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.
Mitigation
Phoenix Contact strongly recommends to upload firmware or key files (PKCS#12) only from trusted source and to thorougly check the SHA256 checksum of the files to be uploaded.
Remediation
Phoenix Contact strongly recommends to upgrade affected devices to the fixed firmware as soon as it gets avaliable.
| Article family | Versionsnummer des Fix | Fix available | Planned release date |
|---|---|---|---|
| CHARX control modular SEC-3XXX | 1.9.0 | yes | |
| PLCnext Control | 2024.0.17 | yes | |
| PLCnext Control AXC F 2000 EA | 2026.0.0 | yes | |
| Energy AXC PU | V04.27.00.00 | no | 2026-08-31 |
| SMART RTU AXC SG | V01.11.00.00 | no | 2026-09-30 |
| SMART RTU AXC IG | V01.04.00.00 | no | 2026-12-31 |
| ILC 2250, CATAN C1 | Emalytics-1.12.3 | no | 2026-05-31 |
| ILC 2050 | Emalytics-1.12.4 | no | 2026-09-30 |
| FL MGUARD 2xxx, 4xxx | 10.6.1 | yes | |
| FL SWITCH 2xxx, FL NAT 2xxx, FL SWITCH TSN 23xx, FL SWITCH 59xx | 3.57 | no | 2026-06-29 |
| FL WLAN 1xxx, FL WLAN 23xx | 26.06.00 | no | 2026-06-29 |
| TC ROUTER 2xxx, 3xxx, TC CLOUD CLIENT 1002-4G | 3.8.9 | yes | |
| TC ROUTER 5004T-5G EU | 1.6.24 | yes | |
| CLOUD CLIENT 1101-TX/TX, TC CLOUD CLIENT 1002-TX/TX | 3.7.8 | yes | |
| TC ROUTER 4xxx | 5.0.72.102 | no | 2026-04-30 |
| FL TIMESERVER NTP | 5.0.71.101 | no | 2026-08-31 |
| CELLULINK x401-4G | 2025.6.3 | yes |
Acknowledgments
Phoenix Contact GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 04/22/2026 10:00 | Initial release. |