A cross‑site request forgery (CSRF) vulnerability in the Link Aggregation configuration interface allows an unauthenticated remote attacker to trick authenticated users into submitting unauthorized POST requests. The malicious webpage lures the victim to trigger configuration changes that silently alter the device’s settings. The impact is a compromise of configuration integrity; availability effects are minimal as the device auto‑recovers after the change. The vulnerability is identified as CWE-352.

Affected systems are a range of Phoenix Contact network devices, including the FL NAT 2008, FL NAT 2208, FL NAT 2304‑2GC‑2SFP, and many FL SWITCH models (e.g., FL SWITCH 2005, 2008, 2008F, 2016, 2105, 2108, 2116, 2204‑2TC‑2SFX, 2205, 2206‑2FX, 2206‑2FX‑SM, 2206‑2FX‑SM‑ST, 2206‑2FX‑ST, 2206‑2SFX, 2206‑2SFX‑PN, 2206C‑2FX, 2207‑FX, 2207‑FX‑SM, 2208, 2208‑PN, 2208C, 2212‑2TC‑2SFX, 2214‑2FX, 2214‑2FX‑SM, 2214‑2SFX, 2214‑2SFX‑PN, 2216, 2216‑PN, 2303‑8SP1, 2304‑2GC‑2SFP, 2306‑2SFP, 2306‑2SFP‑PN, 2308, 2308‑PN, 2312‑2GC‑2SFP, 2314‑2SFP, 2314‑2SFP‑PN, 2316, 2316‑PN, 2316/K1, 2404‑2TC‑2SFX, 2406‑2SFX, 2406‑2SFX‑PN, 2408, 2408‑PN, 2412‑2TC‑2SFX, 2414‑2SFX, 2414‑2SFX‑PN, 2416, 2416‑PN, 2504‑2GC‑2SFP, 2506‑2SFP, 2506‑2SFP‑PN, 2506‑2SFP/K1, 2508, 2508‑PN, 2508/K1, 2512‑2GC‑2SFP, 2514‑2SFP, 2514‑2SFP‑PN, 2516, 2516‑PN, 2608, 2608‑PN, 2708, 2708‑PN, 5916‑8GC‑4SFP+, 5916SFP‑8GC‑4SFP+, 5924‑4GC, 5924‑4SFP+, 5924SFP‑4GC, TSN 2312‑2GC‑2SFP, TSN 2314‑2SFP, TSN 2316. Specific firmware or software version information is not provided.

The vulnerability is scored CVSS 7.1, indicating moderate‑to‑high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a standard web browsing scenario: the attacker publishes a malicious webpage that, when visited by an authenticated user, causes the browser to silently submit a POST request to the device’s configuration endpoint. No credentials are required on the attacker’s side, and successful exploitation results in unauthorized configuration changes; the device recovers automatically, so availability impact is low. Given the ease of mounting the CSRF payload and the lack of activation barriers, the risk of exploitation is considered significant, especially for networks that expose the configuration interface to the Internet or untrusted networks.