Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A command injection vulnerability in the device’s Root CA certificate transfer workflow allows a high-privileged attacker to send crafted HTTP POST requests that result in arbitrary command execution on the underlying Linux OS with root privileges.
AnalysisAI
Arbitrary command execution with root privileges affects multiple Fl Switch and Fl Nat devices through improper handling of HTTP POST requests in the Root CA certificate transfer workflow. An authenticated high-privileged attacker can exploit this command injection flaw to execute arbitrary commands on the underlying Linux operating system. No patch is currently available for the affected product versions.
Technical ContextAI
This vulnerability (CWE-77: Command Injection) affects Phoenix Contact industrial Ethernet switches and NAT routers, specifically in firmware handling certificate management workflows. The affected products include the FL SWITCH 2000-series (ranging from 5 to 16 ports), FL SWITCH 5900-series high-performance switches, and FL NAT network address translation devices, all running Linux-based firmware. The command injection occurs during Root CA certificate transfer operations, where user-supplied input in HTTP POST requests is insufficiently sanitized before being passed to system shell commands. This allows metacharacters or command separators to break out of the intended command context and execute arbitrary OS commands. The vulnerability exists in the web management interface's certificate handling code, where the application fails to properly validate or escape user input before constructing shell commands for certificate installation or transfer operations.
RemediationAI
Upgrade all affected Phoenix Contact FL SWITCH and FL NAT devices to firmware version 3.53 or later, as specified in the CERT@VDE advisory at https://certvde.com/de/advisories/VDE-2025-104. Prior to patching, restrict administrative access to the web management interface to trusted management networks only, using firewall rules or VLANs to prevent access from production or untrusted networks. Implement strong password policies and multi-factor authentication where supported to reduce the risk of credential compromise. Monitor administrative access logs for unusual certificate management operations or suspicious POST requests to certificate-related endpoints. Consider placing these devices behind a jump host or bastion server that enforces additional authentication and logging for administrative sessions. Review and rotate administrative credentials after applying the patch to ensure no compromised accounts persist.
More in Fl Switch 2316 Pn
View allA cross-site scripting vulnerability (CVSS 7.1) that allows an unauthenticated remote attacker. High severity vulnerabil
A CSRF vulnerability in A CSRF vulnerability in the Link Aggregation configuration interface (CVSS 7.1) that allows an u
A buffer overflow vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
A buffer overflow vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
A buffer overflow vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
Denial of service in Stack Overflow and Fl networking devices results from a stack-based buffer overflow in the file ins
A buffer overflow vulnerability (CVSS 4.9) that allows a high-privileged attacker. Remediation should follow standard vu
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12786