CVE-2025-41746 is a cross-site scripting (XSS) vulnerability classified under CWE-79 found in the Phoenix Contact FL SWITCH 2005 device, specifically in the pxc_portSecCfg.php component of its web-based management interface (WBM). The vulnerability allows an unauthenticated remote attacker to craft a malicious POST request that, if sent by an authenticated user, can alter configuration parameters exposed via the WBM. The attack vector involves tricking an authenticated user into submitting this manipulated request, leveraging the web interface's improper input neutralization during page generation. Although the vulnerability does not grant access to operating system internals or privileged functions, it enables changes to device configuration parameters, potentially impacting network behavior and security posture. The session cookie is protected by the httpOnly flag, preventing session hijacking through this attack. The CVSS v3.1 score of 7.1 reflects a high severity due to network attack vector, no privileges required, low attack complexity, requirement for user interaction, and impacts on confidentiality, integrity, and availability within the scope of the web application. No patches or known exploits are currently available, and the vulnerability was published in December 2025. This vulnerability is significant for environments relying on FL SWITCH 2005 devices for industrial network switching, where unauthorized configuration changes could disrupt operations or weaken security controls.

For European organizations, especially those in industrial automation, manufacturing, energy, and critical infrastructure sectors, this vulnerability poses a significant risk. Unauthorized changes to switch configuration can lead to network disruptions, unauthorized network access, or weakened security controls, potentially facilitating further attacks or operational failures. Although the vulnerability does not allow direct system-level compromise or session hijacking, the ability to alter device configurations remotely can degrade network integrity and availability. This is particularly critical in environments where network switches are integral to operational technology (OT) networks, where downtime or misconfiguration can have safety and economic consequences. The requirement for user interaction means social engineering or phishing campaigns could be used to exploit this vulnerability, increasing the risk in organizations with less mature security awareness programs. The absence of known exploits in the wild provides a window for proactive mitigation, but the high CVSS score indicates the need for urgent attention.

1. Implement strict network segmentation to isolate management interfaces of FL SWITCH 2005 devices from general user networks, reducing exposure to unauthenticated attackers. 2. Enforce multi-factor authentication (MFA) for access to the web-based management interface to reduce the risk of unauthorized access. 3. Educate users with access to the device management interface about phishing and social engineering tactics to prevent inadvertent submission of malicious requests. 4. Monitor network traffic for unusual POST requests targeting the pxc_portSecCfg.php endpoint and implement Web Application Firewall (WAF) rules to detect and block suspicious payloads indicative of XSS attempts. 5. Regularly audit device configurations and logs to detect unauthorized changes promptly. 6. Engage with Phoenix Contact for firmware updates or patches addressing this vulnerability and apply them as soon as available. 7. Where patching is not immediately possible, consider disabling or restricting access to the vulnerable web interface or using VPNs with strict access controls for remote management. 8. Employ Content Security Policy (CSP) headers if configurable on the device to mitigate XSS impact by restricting script execution sources.