CVE-2025-41695 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in the dyn_conn.php component of the Phoenix Contact FL SWITCH 2005 device's web-based management interface (WBM). The vulnerability allows an unauthenticated remote attacker to craft malicious web content that can trick an authenticated user into sending a manipulated POST request to the device. This request can alter configuration parameters accessible through the WBM, potentially changing device behavior or network settings. The vulnerability does not expose operating system internals or privileged functions, limiting the attacker's reach to the web application's configuration context. The session cookie is protected by the httpOnly flag, which mitigates session hijacking risks. The attack requires user interaction, such as clicking a malicious link or visiting a crafted webpage while authenticated to the device. The CVSS v3.1 score of 7.1 reflects the vulnerability's network attack vector, low attack complexity, no privileges required, requirement for user interaction, and impacts on confidentiality, integrity, and availability with a scope change. No public exploits are currently known, but the vulnerability poses a significant risk to device configuration integrity and network stability if exploited. The lack of available patches at the time of publication necessitates immediate mitigation efforts by affected organizations.

For European organizations, especially those in industrial automation and critical infrastructure sectors, this vulnerability poses a risk of unauthorized modification of network switch configurations. Such changes could disrupt network traffic, degrade performance, or create backdoors for further attacks, impacting operational continuity and safety. Although system-level compromise is not possible, the ability to alter device parameters can lead to misconfigurations that affect network segmentation, monitoring, and security controls. The requirement for user interaction means social engineering or phishing tactics could be employed to exploit this vulnerability. Given the widespread use of Phoenix Contact products in European manufacturing, energy, and transportation sectors, exploitation could have cascading effects on industrial processes and critical services. The vulnerability's impact on confidentiality, integrity, and availability of device configurations underscores the importance of timely mitigation to prevent potential operational disruptions and data exposure.

1. Restrict access to the FL SWITCH 2005 web management interface to trusted networks and users only, using network segmentation and firewall rules. 2. Implement strong authentication mechanisms and consider multi-factor authentication to reduce the risk of unauthorized access. 3. Educate users about the risks of interacting with unsolicited links or emails that could trigger the XSS attack. 4. Employ web application firewalls (WAFs) or intrusion prevention systems (IPS) capable of detecting and blocking malicious POST requests targeting the vulnerable endpoint. 5. Monitor device logs and network traffic for unusual configuration changes or access patterns indicative of exploitation attempts. 6. Apply input validation and output encoding on the web interface if custom modifications are possible, to neutralize malicious input. 7. Coordinate with Phoenix Contact for official patches or firmware updates and apply them promptly once available. 8. Consider isolating management interfaces from general user access and enforce strict session management policies.