CVE-2025-41746 is a cross-site scripting vulnerability classified under CWE-79, found in the Phoenix Contact FL SWITCH 2005 device's web-based management interface, specifically in the pxc_portSecCfg.php component. The vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts. An unauthenticated remote attacker can exploit this by tricking an authenticated user into submitting a manipulated POST request, which alters configuration parameters exposed via the web interface. The vulnerability does not permit access to operating system internals or privileged functions, limiting impact to the web application's configuration context. The session cookie is protected with the httpOnly flag, preventing session hijacking through script access. The CVSS v3.1 score is 7.1 (high), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the vulnerability poses a significant risk to device configuration integrity and network stability, especially in industrial environments where these switches are deployed. The lack of available patches at the time of publication necessitates immediate mitigation efforts.

For European organizations, particularly those in industrial, manufacturing, energy, and critical infrastructure sectors relying on Phoenix Contact FL SWITCH 2005 devices, this vulnerability could lead to unauthorized changes in network switch configurations. Such changes might degrade network performance, create security gaps, or disrupt operational technology (OT) environments. While the vulnerability does not allow full system compromise or session hijacking, the ability to alter device parameters remotely can facilitate further attacks or cause denial of service conditions. Given the strategic importance of industrial control systems in Europe, exploitation could have cascading effects on production lines, utilities, or transportation networks. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with less stringent user security awareness or where phishing campaigns could be used to induce the necessary interaction.

1. Immediately restrict access to the web-based management interface of FL SWITCH 2005 devices to trusted networks and users only, using network segmentation and firewall rules. 2. Implement strict input validation and sanitization on all user-supplied data in the management interface, if possible via configuration or vendor updates. 3. Educate users about the risks of interacting with unsolicited or suspicious links or requests that could trigger malicious POST submissions. 4. Monitor device configuration changes and logs for unusual or unauthorized modifications to detect potential exploitation attempts early. 5. Apply any vendor-released patches or firmware updates as soon as they become available. 6. Consider deploying web application firewalls (WAFs) or intrusion prevention systems (IPS) that can detect and block XSS attack patterns targeting these devices. 7. Use multi-factor authentication and strong password policies for accessing device management interfaces to reduce risk if user credentials are compromised. 8. Regularly audit and update device firmware and configurations to maintain security hygiene.