CVE-2025-41751 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in the pxc_portCntr.php script of the Phoenix Contact FL SWITCH 2005 device. This vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts into the web management interface. An unauthenticated remote attacker can craft a malicious URL that, when visited by an authenticated user, executes arbitrary scripts within the context of the web application. This can lead to unauthorized changes to device configuration parameters accessible via the web-based management (WBM) interface. The vulnerability does not grant access to system-level resources such as operating system internals or privileged functions, limiting the scope to web application context. The session cookie is secured with the httpOnly flag, mitigating session hijacking risks. The CVSS v3.1 score is 7.1 (high), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction and impacting confidentiality, integrity, and availability of device configurations. No patches or known exploits are currently available or reported. The vulnerability affects version 0.0.0 as listed, which likely represents all unpatched versions up to the disclosure date. The vulnerability was reserved in April 2025 and published in December 2025. The device is typically used in industrial network environments, making it a critical asset in operational technology (OT) networks.

For European organizations, especially those in industrial automation, manufacturing, energy, and critical infrastructure sectors, this vulnerability poses a significant risk. Unauthorized modification of switch configuration parameters can disrupt network segmentation, traffic flow, and security policies, potentially leading to network outages or facilitating lateral movement by attackers. Although the vulnerability does not allow direct system-level compromise, altering device configurations can degrade the integrity and availability of network operations. This can impact production lines, energy distribution, or other critical services relying on stable network infrastructure. The requirement for user interaction means phishing or social engineering could be used to exploit this vulnerability, increasing risk in environments where personnel access management interfaces. The lack of session hijacking possibility reduces some risk, but the ability to change configurations remotely remains a serious concern. European organizations with extensive deployments of Phoenix Contact FL SWITCH 2005 devices in OT environments are particularly vulnerable to operational disruptions and potential safety hazards.

1. Immediately restrict access to the web-based management interface of FL SWITCH 2005 devices to trusted networks only, using network segmentation and firewall rules to limit exposure. 2. Implement multi-factor authentication (MFA) for accessing management interfaces to reduce risk from phishing or malicious links. 3. Educate users and administrators about the risk of clicking unsolicited or suspicious links, especially those related to device management. 4. Monitor network traffic and device logs for unusual configuration changes or access patterns indicative of exploitation attempts. 5. If possible, disable web-based management interfaces when not in use or replace with more secure management methods such as SSH or dedicated management VLANs. 6. Coordinate with Phoenix Contact for official patches or firmware updates and apply them promptly once available. 7. Employ web application firewalls (WAF) or intrusion prevention systems (IPS) capable of detecting and blocking XSS payloads targeting the management interface. 8. Regularly audit device configurations and maintain backups to enable rapid restoration in case of unauthorized changes.