CVE-2025-41705 is a vulnerability classified under CWE-523 (Unprotected Transport of Credentials) affecting the Phoenix Contact QUINT4-UPS/24DC/24DC/5/EIP device. The issue arises because websocket messages used for authentication in the device's web frontend are transmitted without adequate protection, allowing an unauthenticated remote attacker positioned as a man-in-the-middle (MITM) to intercept these messages and extract login credentials. The vulnerability does not require prior authentication but does require the attacker to have network access to intercept the websocket traffic, which may also require user interaction to trigger the login process. The CVSS v3.1 base score is 6.8 (medium severity), reflecting high impact on confidentiality and integrity but no impact on availability, and a higher attack complexity due to the need for MITM positioning and user interaction. The vulnerability affects version VC:00 of the product, with no patches currently available. The lack of encryption or secure transport for websocket communication is the root cause, exposing sensitive credentials to interception. This vulnerability could allow attackers to gain unauthorized access to the device's web interface, potentially leading to further compromise of industrial control systems or power management infrastructure. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in April 2025 and published in October 2025 by CERTVDE.

For European organizations, especially those operating industrial automation, manufacturing, or critical infrastructure sectors, this vulnerability poses a significant risk. The Phoenix Contact QUINT4-UPS series is commonly used in power supply and uninterruptible power supply (UPS) systems that support critical operations. Compromise of login credentials via MITM attacks could allow attackers to manipulate UPS settings, disrupt power management, or gain a foothold into broader industrial control networks. This could lead to operational disruptions, safety hazards, and potential cascading failures in critical infrastructure. Confidentiality and integrity of credentials are directly impacted, increasing the risk of unauthorized access and control. Although availability is not directly affected by this vulnerability, the resulting unauthorized access could be leveraged to cause denial of service or sabotage. European organizations with remote or network-exposed management interfaces are particularly vulnerable. The absence of known exploits currently provides a window for proactive mitigation before active exploitation occurs.

1. Immediately restrict network access to the QUINT4-UPS web frontend to trusted and segmented networks, minimizing exposure to potential MITM attackers. 2. Implement network-level encryption such as VPN tunnels or IPsec to protect websocket traffic if TLS is not yet supported by the device. 3. Monitor network traffic for unusual websocket connections or repeated login attempts indicative of interception or credential harvesting. 4. Engage with Phoenix Contact for firmware updates or patches that enable secure transport (TLS) for websocket communications and apply them promptly once available. 5. Employ strong authentication mechanisms and consider multi-factor authentication if supported to reduce the impact of credential compromise. 6. Conduct regular security audits and penetration tests focusing on industrial control system interfaces to identify similar weaknesses. 7. Educate operational technology (OT) staff on the risks of unencrypted management interfaces and the importance of network segmentation and secure communications. 8. If possible, disable remote web frontend access or replace it with more secure management methods until the vulnerability is remediated.