Cyber Resilience

CVE-2025-41746

High

Published: 09 December 2025

Published
09 December 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0013 31.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41746 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Phoenixcontact Fl Switch 2303-8Sp1. Its CVSS base score is 7.1 (High).

Operationally, ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability…

more

does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phoenixcontact
fl switch 2406-2sfx pn firmware
≤ 3.50
phoenixcontact
fl switch 2408 firmware
≤ 3.50
phoenixcontact
fl switch 2408 pn firmware
≤ 3.50
phoenixcontact
fl switch 2412-2tc-2sfx firmware
≤ 3.50
phoenixcontact
fl switch 2414-2sfx firmware
≤ 3.50
phoenixcontact
fl switch 2414-2sfx pn firmware
≤ 3.50
phoenixcontact
fl switch 2416 firmware
≤ 3.50
phoenixcontact
fl switch 2416 pn firmware
≤ 3.50
phoenixcontact
fl switch 2504-2gc-2sfp firmware
≤ 3.50
phoenixcontact
fl switch 2506-2sfp firmware
≤ 3.50
+59 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References