CVE-2025-41692 identifies a security vulnerability in the Phoenix Contact FL SWITCH 2005 device, specifically related to the use of password hashes with insufficient computational effort (CWE-916). The device employs a weak password generation or hashing algorithm for the underlying operating system's root and user accounts. An attacker who already has high privileged access to the device's web user interface (webUI) can leverage this weakness to brute-force the OS-level passwords. This means that although initial access requires admin privileges on the webUI, the attacker can escalate privileges to the OS level by efficiently guessing the root and user passwords due to the weak hashing mechanism. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 score of 6.8 reflects a medium severity, with a high impact on confidentiality (C), no impact on integrity (I), and no impact on availability (A). The attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially compromised component. No public exploits or patches are currently available, increasing the urgency for affected organizations to implement compensating controls. The vulnerability is particularly concerning for industrial environments where FL SWITCH 2005 devices are deployed, as compromise of OS credentials could lead to further lateral movement or disruption of critical infrastructure.

For European organizations, especially those in industrial automation, manufacturing, energy, and critical infrastructure sectors, this vulnerability poses a significant risk. FL SWITCH 2005 devices are commonly used in industrial networks for managing Ethernet switches and communication. If an attacker gains admin access to the device's webUI, they can escalate privileges to the OS level, potentially gaining persistent control over the device. This could lead to unauthorized data access, manipulation of network traffic, or use of the device as a foothold for further attacks within the network. The confidentiality of sensitive operational data is at high risk, although integrity and availability impacts are not directly indicated. Given the interconnected nature of industrial control systems in Europe, exploitation could facilitate broader attacks on critical infrastructure. The lack of available patches means organizations must rely on network segmentation and access controls to mitigate risk. The medium severity rating suggests that while the vulnerability is serious, it is not trivially exploitable without prior admin access, somewhat limiting its immediate impact but not diminishing the need for remediation.

1. Restrict and tightly control administrative access to the FL SWITCH 2005 webUI, limiting it to trusted management networks and personnel only. 2. Implement strong network segmentation to isolate industrial control devices from general IT networks and the internet. 3. Monitor webUI access logs for signs of brute-force attempts or unusual login activity, and configure alerts for repeated failed authentication attempts. 4. Enforce multi-factor authentication (MFA) for webUI access if supported by the device or through network access controls. 5. Regularly audit and update passwords for both webUI and OS-level accounts to use strong, complex credentials. 6. Engage with Phoenix Contact for updates or patches addressing this vulnerability and apply them promptly once available. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) capable of identifying brute-force or suspicious activity targeting these devices. 8. Conduct security awareness training for administrators managing these devices to recognize and respond to potential compromise indicators. 9. Evaluate alternative devices or firmware versions with improved security postures if patching is delayed or unavailable. 10. Maintain an incident response plan tailored to industrial control system compromises to quickly contain and remediate any exploitation attempts.