CVE-2025-41752 is a cross-site scripting (XSS) vulnerability identified in the Phoenix Contact FL SWITCH 2005, specifically within the pxc_portSfp.php component of its web-based management (WBM) interface. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79), allowing an attacker to inject malicious scripts. An unauthenticated remote attacker can exploit this by crafting a malicious URL that, when visited by an authenticated user, executes script code in the context of the victim’s browser session. This can lead to unauthorized changes to device configuration parameters exposed through the WBM interface. Although the session cookie is protected by the httpOnly flag, preventing session hijacking, the attacker can still manipulate configuration settings, potentially impacting device operation. The attack requires user interaction (clicking the malicious link) but no authentication is needed to deliver the payload. The vulnerability does not grant access to underlying operating system resources or privileged functions, limiting the scope to the web application context. The CVSS v3.1 score of 7.1 reflects a high severity due to network accessibility, low attack complexity, no privileges required, but requiring user interaction and affecting confidentiality, integrity, and availability at a limited scope. No patches or exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly.

For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors relying on Phoenix Contact FL SWITCH 2005 devices, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized modification of network switch configurations, potentially disrupting network traffic, causing denial of service, or creating backdoors for further attacks. Although system-level compromise is not possible, manipulation of device parameters can degrade network reliability and security posture. The requirement for user interaction limits mass exploitation but targeted phishing or social engineering campaigns could be effective. Given the widespread use of Phoenix Contact products in European industrial environments, the impact could extend to operational technology (OT) networks, affecting production lines and critical services. The inability to hijack sessions reduces risk of credential theft but does not eliminate the threat of configuration tampering. Organizations may face operational downtime, compliance issues, and increased risk of lateral movement within networks if this vulnerability is exploited.

Organizations should implement the following specific mitigations: 1) Immediately restrict access to the web-based management interface of FL SWITCH 2005 devices to trusted networks and VPNs, minimizing exposure to untrusted users. 2) Educate users about phishing and social engineering risks to reduce likelihood of clicking malicious links. 3) Monitor network traffic and device logs for unusual configuration changes or access patterns indicative of exploitation attempts. 4) Employ web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the vulnerable endpoint. 5) If possible, disable or limit the use of the vulnerable pxc_portSfp.php interface or isolate management interfaces on separate VLANs. 6) Engage with Phoenix Contact for firmware updates or patches addressing this vulnerability and apply them promptly once available. 7) Implement multi-factor authentication (MFA) on management interfaces to add an additional security layer, even though the vulnerability does not require authentication. 8) Conduct regular security assessments and penetration testing focused on OT and network device interfaces to identify similar weaknesses.