CVE-2025-41665 is a vulnerability identified in the PHOENIX CONTACT AXC F 1152 programmable logic controller (PLC). The root cause is incorrect default permissions (CWE-276) on a configuration file that controls the watchdog functionality of the device. This misconfiguration allows a low-privileged remote attacker to trigger the watchdog timer, causing the PLC to reboot unexpectedly. The vulnerability does not impact confidentiality or integrity directly but results in a denial of service (DoS) condition by affecting availability. The CVSS v3.1 score is 6.5 (medium severity), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), and low privileges (PR:L), but no user interaction (UI:N). The scope is unchanged (S:U), and the impact is limited to availability (A:H) with no confidentiality or integrity impact. There are no known exploits in the wild as of the publication date, and no patches have been released yet. The vulnerability is significant because PLCs like the AXC F 1152 are critical components in industrial control systems (ICS) and automation environments, where unexpected reboots can disrupt manufacturing processes, cause safety risks, and lead to operational downtime. The incorrect default permissions suggest a configuration oversight that could be mitigated by hardening file permissions and access controls on the device.

For European organizations, especially those in manufacturing, critical infrastructure, and industrial automation sectors, this vulnerability poses a risk of operational disruption. PLCs like the AXC F 1152 are widely used in factory automation, energy management, and process control. An attacker exploiting this vulnerability could cause repeated or timed reboots, leading to production halts, safety system failures, or loss of control over critical processes. This can result in financial losses, regulatory non-compliance, and potential safety hazards. Given the increasing digitization and network connectivity of industrial environments in Europe, the attack surface is expanding, making such vulnerabilities more impactful. Organizations relying on PHOENIX CONTACT devices should be aware that even low-privileged attackers with network access could cause significant availability issues. The lack of confidentiality or integrity impact reduces risks of data theft or manipulation but does not diminish the operational consequences of service interruptions.

1. Immediately review and harden file system permissions on the AXC F 1152 devices, ensuring that configuration files controlling watchdog functions are accessible only to highly privileged system processes or administrators. 2. Implement network segmentation and strict access controls to limit which users and systems can communicate with PLCs, reducing the risk of unauthorized remote access. 3. Monitor device logs and network traffic for unusual watchdog resets or reboot patterns that could indicate exploitation attempts. 4. Employ intrusion detection systems tailored for ICS environments to detect anomalous commands or access attempts targeting PLCs. 5. Coordinate with PHOENIX CONTACT for firmware updates or patches addressing this vulnerability and apply them promptly once available. 6. Conduct regular security audits and configuration reviews of industrial devices to identify and remediate permission misconfigurations proactively. 7. Train operational technology (OT) personnel on secure configuration management and incident response specific to PLCs and ICS devices.