The security of industrial routers is fundamental to maintaining the integrity of critical infrastructures, as these devices serve as entry points to industrial control systems and other important assets.
Nozomi Networks Labs recently analyzed a Phoenix Contact mGuard industrial router, uncovering a total of 12 vulnerabilities. The four riskiest vulnerabilities enable authenticated remote code execution (RCE) with root privileges. Alarmingly, these flaws can be exploited even by remote users through the Wide Area Network (WAN) interface and with low-level permissions, potentially granting them full control over the device and the ability to obtain a foothold inside managed networks.
Phoenix Contact responded swiftly after being informed of the findings, resolving the issues within an impressive two-month period. Details on the patches addressing these vulnerabilities are available in the Phoenix Contact’s official advisory.
Below, we describe the security research that uncovered these 12 vulnerabilities. As part of our ongoing service to Nozomi Networks customers, our Threat Intelligence service has been enhanced with new methods to identify these vulnerabilities across devices.
Research Scope
The Phoenix Contact mGuard is an industrial security appliance designed to provide robust protection for networked systems in environments like manufacturing plants, critical infrastructure, and other industrial sectors. Known for its advanced firewall, VPN, and routing capabilities, the mGuard plays a crucial role in safeguarding sensitive industrial operations from external and internal cyber threats. It offers a range of features tailored to secure industrial communication, including encryption for data transmission or secure remote access.
At the heart of its functionality is the mGuard’s primary management interface, a web-based platform that allows administrators to configure, monitor, and control the device from a centralized location. This interface supports multiple levels of user authentication with distinct roles and permissions. For example, the “admin” role has unrestricted access to all functions, including full configuration capabilities and system management. The “netadmin” role, on the other hand, has administrative rights related specifically to network management, and cannot access sensitive information such as passwords or private keys. Finally, the “audit” user has read-only access, allowing this role to view configurations and status reports without the ability to make any changes.
All the security flaws detailed in this blog were discovered during a comprehensive analysis of this web interface. For a breakdown of the affected components and versions, refer to the “Vulnerability List and Affected Versions” section.
What Are the Impacts of These Vulnerabilities?
Since four of the identified vulnerabilities enable authenticated RCE with root privileges on the affected devices, attack scenarios that could potentially arise from exploiting these issues include:
- Disabling of security controls: Because the mGuard is responsible for enforcing security policies, such as firewall rules and network segmentation, a successful exploitation could allow an attacker to bypass these controls entirely. They could create backdoors, disable security alerts, or configure the device in ways that weaken the overall security posture of the network.
- Data theft and network surveillance: With root access, an attacker can intercept, alter, or exfiltrate network traffic passing through the mGuard device. Sensitive data, including industrial protocols, control commands, or other proprietary information, could be exposed. This is especially dangerous in industrial environments where confidential or safety-critical data must be protected.
- Lateral movement across the network: Once an mGuard device is compromised, an attacker could use it as a staging point to move laterally through the network. They could attempt to compromise other devices or systems connected to the network, potentially escalating their attack to impact critical operational systems or disrupting the entire infrastructure.
Although exploiting these vulnerabilities requires authenticated access, it does not necessarily demand high-privileged user roles, such as “admin.” For instance, the vulnerable parameter linked to one of the four authenticated RCEs was found in the email notification settings, which is not a highly sensitive functionality. As a result, an attacker could exploit low-privileged accounts with access to these areas. They might gain this initial access by logging in with reused or default credentials, attempting phishing attacks, or employing other techniques. Once inside, the attacker could cause substantial damage to the network and compromise its security architecture.
Vulnerability List and Affected Versions
The following table lists the twelve vulnerabilities found, ordered by CVSS v3.1 base score.
The following is a list of affected products:
- Firmware < 8.9.3 installed on FL MGUARD RS2000 TX/TX VPN
- Firmware < 8.9.3 installed on FL MGUARD RS2005 TX VPN
- Firmware < 8.9.3 installed on TC MGUARD RS2000 3G VPN
- Firmware < 8.9.3 installed on FL MGUARD RS4000 TX/TX
- Firmware < 8.9.3 installed on FL MGUARD RS4000 TX/TX VPN
- Firmware < 8.9.3 installed on FL MGUARD RS4004 TX/DTX
- Firmware < 8.9.3 installed on FL MGUARD RS4004 TX/DTX VPN
- Firmware < 8.9.3 installed on TC MGUARD RS4000 3G VPN
- Firmware < 8.9.3 installed on FL MGUARD RS2000 TX/TX-B
- Firmware < 8.9.3 installed on FL MGUARD RS4000 TX/TX-P
- Firmware < 8.9.3 installed on FL MGUARD RS4000 TX/TX-M
- Firmware < 8.9.3 installed on FL MGUARD PCI4000
- Firmware < 8.9.3 installed on FL MGUARD PCI4000 VPN
- Firmware < 8.9.3 installed on FL MGUARD PCIE4000
- Firmware < 8.9.3 installed on FL MGUARD PCIE4000 VPN
- Firmware < 8.9.3 installed on FL MGUARD DELTA TX/TX
- Firmware < 8.9.3 installed on FL MGUARD DELTA TX/TX VPN
- Firmware < 8.9.3 installed on FL MGUARD SMART2
- Firmware < 8.9.3 installed on FL MGUARD SMART2 VPN
- Firmware < 8.9.3 installed on FL MGUARD CORE TX
- Firmware < 8.9.3 installed on FL MGUARD CORE TX VPN
- Firmware < 8.9.3 installed on TC MGUARD RS2000 4G VPN
- Firmware < 8.9.3 installed on TC MGUARD RS4000 4G VPN
- Firmware < 8.9.3 installed on TC MGUARD RS4000 4G VZW VPN
- Firmware < 8.9.3 installed on TC MGUARD RS2000 4G VZW VPN
- Firmware < 8.9.3 installed on TC MGUARD RS4000 4G ATT VPN
- Firmware < 8.9.3 installed on TC MGUARD RS2000 4G ATT VPN
- Firmware < 8.9.3 installed on FL MGUARD GT/GT
- Firmware < 8.9.3 installed on FL MGUARD GT/GT VPN
- Firmware < 8.9.3 installed on FL MGUARD CENTERPORT
- Firmware < 8.9.3 installed on FL MGUARD CENTERPORT VPN-1000
- Firmware < 10.4.1 installed on FL MGUARD 2102
- Firmware < 10.4.1 installed on FL MGUARD 2105
- Firmware < 10.4.1 installed on FL MGUARD 4302
- Firmware < 10.4.1 installed on FL MGUARD 4305
- Firmware < 10.4.1 installed on FL MGUARD 4102 PCIE
- Firmware < 10.4.1 installed on FL MGUARD 4102 PCI
Remediations
Following the report of these vulnerabilities, Phoenix Contact promptly released updated versions of the affected packages. Asset owners can resolve the issues by updating the firmware on their mGuard devices to the following versions:
If updating the firmware is not feasible, the following mitigations help minimize the chances of successful exploitation:
- Keep the number of accounts entitled to access the mGuard management interface to a minimum. Ensure that only trusted ones are allowed, and that their passwords are thoroughly protected;
- Log and regularly audit successful logins to the device.
Asset owners may find other details about these vulnerabilities in the Phoenix Contact’s official advisory.
