CVE-2026-22322 is a high-severity stored cross-site scripting (XSS) vulnerability identified in the Link Aggregation configuration interface of the Phoenix Contact FL SWITCH 2005 device. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an unauthenticated remote attacker to inject malicious HTML or JavaScript code by creating a trunk entry in the device's web interface. When a legitimate user accesses the affected page, the malicious script executes within their browser context, enabling unauthorized actions such as manipulation of the device's interface. Although the session cookie is protected by the httpOnly flag, which prevents theft of session cookies via JavaScript, the attacker can still perform actions within the scope of the victim's privileges, potentially altering configurations or causing denial of service. The attack requires no authentication but does require the victim to view the maliciously crafted page, meaning user interaction is necessary. The vulnerability has a CVSS 3.1 base score of 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No patches or known exploits are currently available, but the vulnerability poses a significant risk to network infrastructure managed by the affected devices.

The vulnerability could allow attackers to perform unauthorized actions on the FL SWITCH 2005 device's management interface by executing malicious scripts in the context of legitimate users. This can lead to manipulation of network configurations, disruption of network services, or exposure of sensitive information displayed on the interface. Although session hijacking is mitigated by the httpOnly flag on cookies, attackers may still alter device settings or cause denial of service conditions, impacting network availability and integrity. Organizations relying on these switches for critical industrial or infrastructure networks could face operational disruptions, increased risk of lateral movement within the network, and potential compromise of network management. The unauthenticated nature of the vulnerability increases its risk, as attackers do not need credentials to exploit it, broadening the attack surface. The requirement for user interaction limits automated exploitation but does not eliminate risk in environments where administrators frequently access the device interface.

1. Immediately restrict access to the FL SWITCH 2005 management interface to trusted networks and users only, using network segmentation and firewall rules. 2. Implement strict input validation and sanitization on the Link Aggregation configuration interface to prevent injection of malicious scripts. 3. Monitor administrative access logs for suspicious activities or unexpected trunk entry creations. 4. Educate network administrators to avoid clicking on untrusted links or accessing the device interface from untrusted environments. 5. Deploy web application firewalls (WAFs) that can detect and block XSS payloads targeting the device interface. 6. Regularly check for and apply vendor patches or firmware updates as soon as they become available. 7. Consider using multi-factor authentication and session timeout policies to reduce the impact of potential exploitation. 8. Conduct periodic security assessments and penetration testing focused on the management interfaces of network devices to identify similar vulnerabilities proactively.