XSS Vulnerability in Web-Based Management of Networking Device from Vendor
CVE-2025-41750

7.1HIGH

Key Information:

Vendor: Phoenix Contact
Status: Fl Switch 2005; Fl Switch 2008; Fl Switch 2016; Fl Switch 2105
Vendor: CVE Published:; 9 December 2025

🔔 Create Phoenix Contact Vulnerability Alert

What is CVE-2025-41750?

An XSS vulnerability located in the pxc_PortCfg.php file of a web-based management interface allows an unauthenticated remote attacker to deceive an authenticated user into clicking a malicious link. This manipulation could lead to unauthorized changes to device configuration parameters available through the web management tool. Importantly, the vulnerability restricts access to these parameters within the confines of the web application and does not extend to system-level resources or privileged functions. Additionally, the session cookie benefits from the httpOnly flag, providing a layer of protection against session hijacking.

Affected Version(s)

FL NAT 2008 0.0.0 < 3.50

FL NAT 2208 0.0.0 < 3.50

FL NAT 2304-2GC-2SFP 0.0.0 < 3.50

References

https://certvde.com/de/advisories/VDE-2025-071

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

D. Blagojevic, S. Dietz, F. Koroknai, T. Weber from CyberDanube

JSON