CVE-2025-41752 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Phoenix Contact FL SWITCH 2005 device, specifically in the pxc_portSfp.php component of its web-based management (WBM) interface. The vulnerability arises from improper neutralization of input during web page generation, allowing an unauthenticated remote attacker to craft a malicious URL that, when clicked by an authenticated user, executes arbitrary scripts within the context of the device's web application. This can lead to unauthorized changes in device configuration parameters accessible through the WBM. The vulnerability does not extend to system-level resources or privileged OS functions, limiting the attack surface to the web application layer. The session cookie is secured with the httpOnly flag, mitigating session hijacking risks. The CVSS v3.1 score is 7.1 (high), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability within the scope of the web application. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability was reserved in April 2025 and published in December 2025. This vulnerability is particularly concerning for industrial control environments where FL SWITCH 2005 devices are deployed, as unauthorized configuration changes could disrupt network operations or degrade security postures.

For European organizations, particularly those in industrial sectors such as manufacturing, energy, and critical infrastructure that deploy Phoenix Contact FL SWITCH 2005 devices, this vulnerability poses a significant risk. Exploitation could allow attackers to manipulate network switch configurations, potentially disrupting network segmentation, traffic flows, or security policies. This could lead to degraded operational availability, unauthorized data exposure, or facilitate lateral movement within industrial networks. Although the vulnerability does not allow direct OS-level compromise or session hijacking, the ability to alter device configurations can indirectly impact the confidentiality, integrity, and availability of industrial control systems. Given the critical role of such switches in operational technology (OT) networks, exploitation could have cascading effects on production processes and safety systems. The requirement for user interaction limits mass exploitation but targeted spear-phishing or social engineering campaigns against network administrators remain a viable threat vector.

European organizations should implement the following specific mitigations: 1) Immediately restrict access to the FL SWITCH 2005 web management interface to trusted networks and users only, ideally via VPN or secure management VLANs. 2) Employ strict input validation and output encoding on any user-supplied data in the web interface, if custom modifications are possible. 3) Monitor and audit web management access logs for suspicious activity or unexpected parameter changes. 4) Educate network administrators about the risks of clicking untrusted links and implement phishing awareness training. 5) Use network segmentation to isolate management interfaces from general user networks. 6) Apply compensating controls such as multi-factor authentication (MFA) for web management access if supported. 7) Regularly check for vendor patches or firmware updates addressing this vulnerability and apply them promptly once available. 8) Consider deploying web application firewalls (WAFs) or intrusion detection systems (IDS) tuned to detect XSS attack patterns targeting the device’s management interface.