CVE-2025-41668 is a high-severity vulnerability classified under CWE-59: Improper Link Resolution Before File Access ('Link Following') affecting the PHOENIX CONTACT AXC F 1152 industrial controller. This vulnerability allows a low-privileged remote attacker who already has some file access on the device to exploit improper handling of symbolic links or similar link mechanisms. By replacing a critical file or folder used by the service 'security-profile', the attacker can escalate privileges to gain read, write, and execute access to any file on the device. The vulnerability arises because the system does not properly validate or resolve symbolic links before accessing files, enabling an attacker to redirect file operations to arbitrary locations. The CVSS v3.1 base score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. Although exploitation requires some initial file access (low privilege), the attacker can leverage this to fully compromise the device, potentially leading to complete system takeover. No known public exploits are reported yet, and no patches are currently linked, indicating that mitigation may require vendor intervention or manual workarounds.

For European organizations, especially those in critical infrastructure sectors such as manufacturing, energy, and automation that deploy PHOENIX CONTACT AXC F 1152 controllers, this vulnerability poses a significant risk. Successful exploitation could allow attackers to manipulate industrial control processes, disrupt operations, or exfiltrate sensitive operational data. The ability to gain full file system access undermines device integrity and availability, potentially causing production downtime or safety hazards. Given the widespread use of PHOENIX CONTACT products in European industrial environments, the impact could extend to supply chain disruptions and economic losses. Furthermore, attackers could use compromised devices as footholds for lateral movement within industrial networks, increasing the risk of broader operational technology (OT) network compromise.

Organizations should immediately audit access controls to ensure that only trusted and authenticated users have file access on AXC F 1152 devices. Network segmentation should be enforced to restrict remote file access to these devices. Monitoring for unusual file system changes or symbolic link manipulations can help detect exploitation attempts. Until a vendor patch is available, consider implementing strict file integrity monitoring and disabling any unnecessary remote file access services. Employing application whitelisting or restricting execution permissions on critical directories may reduce exploitation risk. Engage with PHOENIX CONTACT support to obtain guidance or firmware updates addressing this vulnerability. Additionally, conduct thorough security assessments of industrial controllers to identify and remediate similar link-following weaknesses.