CVE-2025-41747 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Phoenix Contact FL SWITCH 2005 device's web-based management interface, specifically in the pxc_vlanIntfCfg.php script. The vulnerability arises due to improper neutralization of input during web page generation, allowing an unauthenticated remote attacker to craft a malicious POST request that, when sent to the device, can manipulate parameters accessible through the web management interface. The attack relies on tricking an authenticated user into submitting this manipulated request, thus requiring user interaction but no prior authentication. The vulnerability does not grant access to system-level resources or privileged OS functions; rather, it limits the attacker’s influence to configuration parameters within the web application context. The session cookie is protected by the httpOnly flag, which prevents attackers from stealing session cookies via client-side scripts, thus mitigating session hijacking risks. The CVSS v3.1 base score is 7.1, reflecting a high severity due to network attack vector, low attack complexity, no privileges required, but requiring user interaction, and impacting confidentiality, integrity, and availability to a limited extent. No public exploits have been reported yet, but the vulnerability poses a significant risk to the integrity and availability of device configurations, which could disrupt industrial network operations.

For European organizations, especially those in industrial sectors relying on Phoenix Contact FL SWITCH 2005 devices for critical network infrastructure, this vulnerability could lead to unauthorized changes in network switch configurations. Such changes might degrade network performance, cause denial of service, or open pathways for further attacks within operational technology (OT) environments. Although the vulnerability does not allow direct system-level compromise, manipulation of device parameters can impact network segmentation, VLAN configurations, or access controls, potentially exposing sensitive industrial control systems. Given the widespread use of Phoenix Contact products in European manufacturing, energy, and infrastructure sectors, the impact could be significant, disrupting industrial processes and causing operational downtime. The requirement for user interaction means phishing or social engineering campaigns could be leveraged to exploit this vulnerability, increasing the risk in environments with less security awareness or insufficient user training.

Organizations should immediately verify if they use Phoenix Contact FL SWITCH 2005 devices and monitor vendor communications for patches or firmware updates addressing CVE-2025-41747. In the absence of patches, network administrators should restrict access to the web management interface to trusted management networks only, employing network segmentation and firewall rules to block unauthorized access. Implement strict access controls and multi-factor authentication for device management interfaces to reduce the risk of user interaction exploitation. Security awareness training should emphasize phishing and social engineering risks to prevent users from submitting malicious requests. Additionally, enable logging and monitoring of management interface activities to detect anomalous configuration changes. Consider deploying web application firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) capable of detecting and blocking malicious POST requests targeting the vulnerable endpoint. Regularly audit device configurations to identify unauthorized changes promptly.