CVE-2025-41749 is an XSS vulnerability categorized under CWE-79 found in the Phoenix Contact FL SWITCH 2005, specifically in the port_util.php script used in the device's web-based management interface (WBM). The flaw arises from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject malicious scripts. An unauthenticated attacker can craft a URL containing malicious payloads that, when clicked by an authenticated user, causes the victim's browser to execute the injected script within the context of the WBM. This enables the attacker to alter device configuration parameters accessible via the web interface. However, the vulnerability does not grant access to operating system internals or privileged functions, limiting the attack surface. The session cookie is protected by the httpOnly flag, preventing session cookie theft and session hijacking. The attack requires user interaction (clicking the malicious link) but no prior authentication, increasing the attack vector. The CVSS v3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and impacts on confidentiality, integrity, and availability at a low level. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly.

For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors that deploy Phoenix Contact FL SWITCH 2005 devices, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized modification of network switch configurations, potentially disrupting network operations, causing denial of service, or enabling further lateral attacks within industrial control systems. Although the vulnerability does not allow direct system compromise or session hijacking, manipulation of device parameters can degrade network reliability and security posture. Given the importance of industrial network switches in operational technology (OT) environments, any disruption can have cascading effects on production lines, safety systems, and critical services. The requirement for user interaction limits mass exploitation but targeted spear-phishing or social engineering campaigns could be effective. The lack of known exploits currently reduces immediate risk but does not eliminate it, as attackers may develop exploits following public disclosure.

European organizations should implement the following specific mitigations: 1) Immediately restrict access to the FL SWITCH 2005 web management interface to trusted networks and users only, ideally via VPN or secure management VLANs. 2) Educate users with access to the management interface about the risks of clicking unsolicited or suspicious links, emphasizing social engineering awareness. 3) Monitor network traffic and logs for unusual requests to port_util.php or unexpected configuration changes. 4) Apply any vendor patches or firmware updates as soon as they become available; if no patch exists, consider compensating controls such as disabling web management if feasible or using alternative management methods. 5) Employ web application firewalls (WAFs) or intrusion prevention systems (IPS) capable of detecting and blocking XSS payloads targeting the management interface. 6) Enforce strong authentication and session management policies, even though session hijacking is mitigated by httpOnly cookies, to reduce risk from other attack vectors. 7) Conduct regular security assessments and penetration testing of OT network devices to identify and remediate similar vulnerabilities proactively.