CVE-2025-41745 is a cross-site scripting (CWE-79) vulnerability found in the Phoenix Contact FL SWITCH 2005, specifically in the pxc_portCntr2.php web management script. The vulnerability arises from improper neutralization of input during web page generation, allowing an unauthenticated remote attacker to craft a malicious POST request that, when submitted by an authenticated user, can alter device configuration parameters accessible via the web-based management interface. The attack vector is network-based with low complexity and does not require any privileges, but it does require user interaction, as the attacker must trick an authenticated user into sending the manipulated request. The vulnerability does not expose system-level resources or privileged functions, and session cookies are protected by the httpOnly flag, preventing session hijacking. However, the attacker can modify configuration parameters within the scope of the web application, potentially impacting device behavior, network configuration, or security settings. The vulnerability has a CVSS v3.1 score of 7.1, indicating a high severity level due to its potential to affect confidentiality, integrity, and availability of the device's configuration. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly to prevent misuse.

For European organizations, this vulnerability poses a significant risk to network infrastructure stability and security, especially in industrial, manufacturing, or critical infrastructure sectors where Phoenix Contact FL SWITCH 2005 devices are deployed. Unauthorized modification of device configuration can lead to network misconfigurations, degraded performance, or exposure to further attacks. Although the vulnerability does not allow full system compromise or session hijacking, the ability to alter configuration parameters can disrupt operational continuity and potentially facilitate lateral movement or denial of service within the network. Given the reliance on these devices in automation and control environments, the impact extends beyond IT networks to operational technology (OT) systems, increasing the risk of safety incidents or production downtime. The requirement for user interaction limits exploitation but does not eliminate risk, especially in environments where users have elevated privileges or where social engineering is feasible. The lack of known exploits currently reduces immediate threat but does not preclude future exploitation attempts.

European organizations should implement the following specific mitigations: 1) Immediately audit all Phoenix Contact FL SWITCH 2005 devices to identify affected versions and isolate vulnerable devices from untrusted networks. 2) Restrict access to the web-based management interface to trusted networks and enforce strong authentication and user awareness training to prevent social engineering attacks that could trick users into submitting malicious requests. 3) Employ network-level protections such as web application firewalls (WAFs) or intrusion prevention systems (IPS) configured to detect and block suspicious POST requests targeting the pxc_portCntr2.php endpoint. 4) Monitor device logs and network traffic for unusual configuration changes or anomalous POST requests. 5) Engage with Phoenix Contact for official patches or firmware updates and apply them as soon as they become available. 6) Consider implementing multi-factor authentication (MFA) for device management interfaces to reduce the risk of unauthorized configuration changes. 7) Segment OT and IT networks to limit the spread of potential attacks exploiting this vulnerability. 8) Develop incident response plans specific to network device compromise scenarios to ensure rapid containment and recovery.