CVE-2021-33540
📋 TL;DR
This vulnerability involves undocumented password-protected FTP access to the root directory in certain Phoenix Contact AXL F BK and IL BK devices. Attackers who discover the credentials can access sensitive system files and potentially modify device configurations. Organizations using these specific industrial control system devices are affected.
💻 Affected Systems
- Phoenix Contact AXL F BK
- Phoenix Contact IL BK
📦 What is this software?
Axl F Bk Eip Ef Firmware by Phoenixcontact
Axl F Bk Eip Firmware by Phoenixcontact
Axl F Bk Eth Firmware by Phoenixcontact
Axl F Bk Eth Xc Firmware by Phoenixcontact
Axl F Bk Pn Firmware by Phoenixcontact
Axl F Bk Pn Tps Firmware by Phoenixcontact
Axl F Bk Pn Xc Firmware by Phoenixcontact
Axl F Bk S35 Firmware by Phoenixcontact
Axl F Bk Sas Firmware by Phoenixcontact
Il Eip Bk Di8 Do4 2tx Pac Firmware by Phoenixcontact
View all CVEs affecting Il Eip Bk Di8 Do4 2tx Pac Firmware →
Il Eth Bk Di8 Do4 2tx Pac Firmware by Phoenixcontact
View all CVEs affecting Il Eth Bk Di8 Do4 2tx Pac Firmware →
Il Eth Bk Di8 Do4 2tx Xc Pac Firmware by Phoenixcontact
View all CVEs affecting Il Eth Bk Di8 Do4 2tx Xc Pac Firmware →
Il Pn Bk Di8 Do4 2scrj Pac Firmware by Phoenixcontact
View all CVEs affecting Il Pn Bk Di8 Do4 2scrj Pac Firmware →
Il Pn Bk Di8 Do4 2tx Pac Firmware by Phoenixcontact
Il Pn Bk Pac Firmware by Phoenixcontact
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise allowing configuration changes, firmware manipulation, or installation of persistent malware that could disrupt industrial operations.
Likely Case
Unauthorized access to sensitive configuration files, potential data exfiltration, and limited system manipulation by attackers who discover the credentials.
If Mitigated
No impact if proper network segmentation and access controls prevent external FTP access to these devices.
🎯 Exploit Status
Exploitation requires discovering the undocumented FTP credentials, but once obtained, access is straightforward via standard FTP clients.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Contact Phoenix Contact for specific firmware updates
Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2021-021
Restart Required: Yes
Instructions:
1. Contact Phoenix Contact support for firmware updates. 2. Backup device configuration. 3. Apply firmware update following vendor instructions. 4. Restart device. 5. Verify FTP access is properly secured.
🔧 Temporary Workarounds
Network segmentation and firewall rules
allBlock FTP access to affected devices from untrusted networks
Disable FTP service if not required
allTurn off FTP service on affected devices if file transfer functionality is not needed
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices from untrusted networks
- Monitor FTP access logs for unauthorized connection attempts and credential guessing
🔍 How to Verify
Check if Vulnerable:
Attempt FTP connection to device port 21 using various credential combinations. Check device documentation for undocumented FTP access.Check Version:
Check device firmware version through web interface or console. Contact Phoenix Contact for version verification.Verify Fix Applied:
Verify FTP service is either disabled or properly secured with strong authentication. Test that undocumented credentials no longer work.📡 Detection & Monitoring
Log Indicators:
- Failed FTP authentication attempts
- Successful FTP connections from unusual sources
- FTP root directory access logs
Network Indicators:
- FTP traffic to industrial control devices
- Port 21 connections to affected devices
SIEM Query:
source_port=21 OR dest_port=21 AND (device_type="industrial_control" OR device_vendor="Phoenix Contact")