CVE-2021-21004
📋 TL;DR
This vulnerability allows attackers to inject malicious code into Phoenix Contact FL SWITCH SMCS series network switches via LLDP frames, which then executes in the web-based management interface when accessed by administrators. It affects industrial network switches used in operational technology environments. Attackers can compromise switch management and potentially pivot to other network segments.
💻 Affected Systems
- Phoenix Contact FL SWITCH SMCS series
📦 What is this software?
Fl Nat Smn 8tx Firmware by Phoenixcontact
Fl Nat Smn 8tx M Firmware by Phoenixcontact
Fl Switch Smcs 14tx\/2fx Firmware by Phoenixcontact
Fl Switch Smcs 14tx\/2fx Sm Firmware by Phoenixcontact
View all CVEs affecting Fl Switch Smcs 14tx\/2fx Sm Firmware →
Fl Switch Smcs 16tx Firmware by Phoenixcontact
Fl Switch Smcs 4tx Pn Firmware by Phoenixcontact
Fl Switch Smcs 6gt\/2sfp Firmware by Phoenixcontact
Fl Switch Smcs 6tx\/2sfp Firmware by Phoenixcontact
Fl Switch Smcs 8tx Pn Firmware by Phoenixcontact
Fl Switch Smn 6tx\/2fx Firmware by Phoenixcontact
Fl Switch Smn 6tx\/2fx Sm Firmware by Phoenixcontact
View all CVEs affecting Fl Switch Smn 6tx\/2fx Sm Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of network switch allowing attacker to reconfigure network, intercept traffic, pivot to other industrial systems, and disrupt operations.
Likely Case
Attacker gains control of switch management interface, enabling network reconnaissance, traffic manipulation, and potential lateral movement to connected systems.
If Mitigated
Limited impact if switches are isolated from untrusted networks and web interface access is restricted.
🎯 Exploit Status
Exploitation requires sending crafted LLDP frames to vulnerable switches and tricking administrators into accessing the web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2021-023
Restart Required: Yes
Instructions:
1. Download firmware update from Phoenix Contact support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or console. 4. Reboot switch. 5. Verify version and functionality.
🔧 Temporary Workarounds
Disable web management interface
allPrevents execution of injected code by disabling the vulnerable web interface
Configure via CLI: no ip http server
no ip http secure-server
Restrict LLDP frame sources
allLimit which devices can send LLDP frames to the switch
Configure ACLs to block LLDP from untrusted sources
lldp receive disable on untrusted ports
🧯 If You Can't Patch
- Isolate switches in separate VLAN with strict access controls
- Implement network monitoring for anomalous LLDP traffic
🔍 How to Verify
Check if Vulnerable:
Check firmware version against vendor advisory. Monitor for unexpected LLDP traffic to switches.Check Version:
show version (via CLI) or check web interface system infoVerify Fix Applied:
Verify firmware version is updated to patched version. Test that web interface no longer executes injected LLDP content.📡 Detection & Monitoring
Log Indicators:
- Unusual LLDP frame patterns
- Web interface access from unexpected sources
- Configuration changes without authorization
Network Indicators:
- Malformed LLDP packets to switch management IPs
- Unexpected connections to switch web ports
SIEM Query:
source_ip=* AND dest_ip=switch_management AND protocol=LLDP AND packet_size>normal