CVE-2025-41695 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the Phoenix Contact FL SWITCH 2005 series. The flaw exists in the dyn_conn.php script, which improperly neutralizes input during web page generation, allowing an attacker to inject malicious scripts. The attack vector is remote and requires no authentication, but successful exploitation depends on tricking an authenticated user into submitting a manipulated POST request. This request can modify configuration parameters accessible through the device's web-based management interface (WBM). Although the vulnerability does not grant access to system-level resources or privileged OS functions, it compromises the integrity and availability of device configurations. The session cookie is protected by the httpOnly flag, mitigating session hijacking risks. The CVSS v3.1 score is 7.1 (high), reflecting the ease of exploitation (network vector, no privileges required) and the impact on confidentiality, integrity, and availability within the scope of the web application. No patches are currently linked, and no known exploits have been observed in the wild. The vulnerability poses a risk to industrial control and network environments where these switches are deployed, potentially enabling attackers to disrupt network operations or degrade device functionality by altering configuration parameters.

For European organizations, especially those in industrial automation, manufacturing, energy, and critical infrastructure sectors, this vulnerability could lead to unauthorized changes in network switch configurations. Such changes might cause network disruptions, degrade performance, or create conditions for further attacks within operational technology (OT) environments. Although system-level compromise is not possible, the ability to alter device settings can undermine network reliability and safety. The requirement for user interaction (an authenticated user submitting a malicious request) means social engineering or phishing could be used as an attack vector. Given the widespread use of Phoenix Contact products in European industrial sectors, the potential impact includes operational downtime, safety risks, and compliance violations with regulations such as NIS2. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

Organizations should immediately review and restrict access to the web-based management interface of FL SWITCH 2005 devices, limiting it to trusted networks and personnel. Implement network segmentation to isolate management interfaces from general user networks. Employ strong user awareness training to reduce the risk of social engineering attacks that could trick authenticated users into submitting malicious requests. Monitor network traffic for unusual POST requests targeting dyn_conn.php or other management endpoints. Since no patches are currently available, consider deploying web application firewalls (WAFs) or intrusion prevention systems (IPS) with custom rules to detect and block XSS payloads targeting this device. Regularly audit device configurations and logs for unauthorized changes. Engage with Phoenix Contact for updates on patches or firmware upgrades addressing this vulnerability and plan timely deployment once available. Additionally, enforce multi-factor authentication (MFA) for accessing management interfaces where possible to reduce the risk of unauthorized access.