CVE-2025-41666 is a high-severity vulnerability identified in the PHOENIX CONTACT AXC F 1152 industrial controller device. The vulnerability is classified under CWE-59, which pertains to improper link resolution before file access, commonly known as 'link following'. Specifically, this flaw allows a low privileged remote attacker who already has file access on the device to replace a critical file used by the device's watchdog mechanism. By exploiting this, the attacker can gain read, write, and execute permissions on any file on the device after the watchdog has been initialized. The watchdog is a critical component responsible for monitoring system health and ensuring operational continuity, so compromising it can lead to full system control or persistent malicious code execution. The CVSS 3.1 base score of 8.8 reflects the vulnerability's high impact on confidentiality, integrity, and availability, with an attack vector over the network, low attack complexity, and no user interaction required. The vulnerability does require some level of privileges (low privileged user) but does not require user interaction, making it a significant risk in environments where attackers can gain initial access. No known exploits are currently reported in the wild, and no patches have been published yet. The affected product, AXC F 1152, is used in industrial automation and control systems, which are critical infrastructure components in manufacturing and process industries.

For European organizations, especially those in manufacturing, energy, and critical infrastructure sectors that deploy PHOENIX CONTACT AXC F 1152 controllers, this vulnerability poses a significant risk. Exploitation could lead to unauthorized control over industrial processes, data theft, sabotage, or disruption of operations. Given the high integrity and availability impact, attackers could manipulate control logic, cause system downtime, or introduce safety hazards. The ability to execute arbitrary code with elevated privileges after exploiting the vulnerability increases the risk of persistent threats and lateral movement within industrial networks. This could also lead to compliance violations under EU regulations such as NIS2, which mandates stringent cybersecurity measures for critical infrastructure. The lack of patches increases exposure time, and the requirement for only low privileged access means that any initial foothold (e.g., through phishing or network intrusion) could be escalated to full system compromise.

1. Immediate network segmentation and strict access controls should be enforced to limit file access privileges on AXC F 1152 devices, ensuring only trusted and authenticated users can access file systems. 2. Monitor and audit file system changes on devices to detect unauthorized modifications to critical watchdog files. 3. Employ application whitelisting or integrity verification mechanisms to prevent unauthorized file replacements. 4. Implement strict user privilege management to minimize the number of users with file access rights. 5. Use network intrusion detection systems (NIDS) tuned for industrial protocols to detect anomalous activities. 6. Coordinate with PHOENIX CONTACT for timely patch releases and apply updates as soon as they become available. 7. Conduct regular security assessments and penetration testing focusing on file access controls and watchdog integrity. 8. Develop incident response plans specific to industrial control system compromises to quickly isolate and remediate affected devices.