24h | 7d | 30d

CVE-2025-41747

Overview

  • Phoenix Contact
  • FL SWITCH 2005
09 Dec 2025
Published
09 Dec 2025
Updated
CVSS v3.1
HIGH (7.1)
EPSS
0.08%
KEV

Description

An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-071
Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx Firmware

Multiple vulnerabilities have been identified in the FL SWITCH 2xxx firmware prior to version 3.50. Two of these (CVE-2025-41692 and CVE-2025-41696) enable an attacker to access the device's file system. Two other vulnerabilities (CVE-2025-41693 and CVE-2025-41694) are related to Denial of Service (DoS) attacks, which partly limit the device's functionality. Another vulnerability (CVE-2025-41697) allows an unauthenticated physical attacker to access a login shell via an undocumented UART port. Furthermore, there are multiple vulnerabilities relating to reflected cross-site scripting in the web-based management of the device. All vulnerabilities have been resolved in firmware version 3.50.
CVE-2025-41752, CVE-2025-41751, CVE-2025-41750, CVE-2025-41749, CVE-2025-41748, CVE-2025-41747, CVE-2025-41746, CVE-2025-41745, CVE-2025-41695, CVE-2025-41697, CVE-2025-41692, CVE-2025-41694, CVE-2025-41696, CVE-2025-41693

certvde.com/en/advisories/vde-

phoenixcontact.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-41752

Overview

  • Phoenix Contact
  • FL SWITCH 2005
09 Dec 2025
Published
09 Dec 2025
Updated
CVSS v3.1
HIGH (7.1)
EPSS
0.08%
KEV

Description

An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-071
Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx Firmware

Multiple vulnerabilities have been identified in the FL SWITCH 2xxx firmware prior to version 3.50. Two of these (CVE-2025-41692 and CVE-2025-41696) enable an attacker to access the device's file system. Two other vulnerabilities (CVE-2025-41693 and CVE-2025-41694) are related to Denial of Service (DoS) attacks, which partly limit the device's functionality. Another vulnerability (CVE-2025-41697) allows an unauthenticated physical attacker to access a login shell via an undocumented UART port. Furthermore, there are multiple vulnerabilities relating to reflected cross-site scripting in the web-based management of the device. All vulnerabilities have been resolved in firmware version 3.50.
CVE-2025-41752, CVE-2025-41751, CVE-2025-41750, CVE-2025-41749, CVE-2025-41748, CVE-2025-41747, CVE-2025-41746, CVE-2025-41745, CVE-2025-41695, CVE-2025-41697, CVE-2025-41692, CVE-2025-41694, CVE-2025-41696, CVE-2025-41693

certvde.com/en/advisories/vde-

phoenixcontact.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-41749

Overview

  • Phoenix Contact
  • FL SWITCH 2005
09 Dec 2025
Published
09 Dec 2025
Updated
CVSS v3.1
HIGH (7.1)
EPSS
0.08%
KEV

Description

An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-071
Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx Firmware

Multiple vulnerabilities have been identified in the FL SWITCH 2xxx firmware prior to version 3.50. Two of these (CVE-2025-41692 and CVE-2025-41696) enable an attacker to access the device's file system. Two other vulnerabilities (CVE-2025-41693 and CVE-2025-41694) are related to Denial of Service (DoS) attacks, which partly limit the device's functionality. Another vulnerability (CVE-2025-41697) allows an unauthenticated physical attacker to access a login shell via an undocumented UART port. Furthermore, there are multiple vulnerabilities relating to reflected cross-site scripting in the web-based management of the device. All vulnerabilities have been resolved in firmware version 3.50.
CVE-2025-41752, CVE-2025-41751, CVE-2025-41750, CVE-2025-41749, CVE-2025-41748, CVE-2025-41747, CVE-2025-41746, CVE-2025-41745, CVE-2025-41695, CVE-2025-41697, CVE-2025-41692, CVE-2025-41694, CVE-2025-41696, CVE-2025-41693

certvde.com/en/advisories/vde-

phoenixcontact.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-41697

Overview

  • Phoenix Contact
  • FL SWITCH 2005
09 Dec 2025
Published
09 Dec 2025
Updated
CVSS v3.1
MEDIUM (6.8)
EPSS
0.02%
KEV

Description

An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g. with the credentials obtained from CVE-2025-41692.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-071
Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx Firmware

Multiple vulnerabilities have been identified in the FL SWITCH 2xxx firmware prior to version 3.50. Two of these (CVE-2025-41692 and CVE-2025-41696) enable an attacker to access the device's file system. Two other vulnerabilities (CVE-2025-41693 and CVE-2025-41694) are related to Denial of Service (DoS) attacks, which partly limit the device's functionality. Another vulnerability (CVE-2025-41697) allows an unauthenticated physical attacker to access a login shell via an undocumented UART port. Furthermore, there are multiple vulnerabilities relating to reflected cross-site scripting in the web-based management of the device. All vulnerabilities have been resolved in firmware version 3.50.
CVE-2025-41752, CVE-2025-41751, CVE-2025-41750, CVE-2025-41749, CVE-2025-41748, CVE-2025-41747, CVE-2025-41746, CVE-2025-41745, CVE-2025-41695, CVE-2025-41697, CVE-2025-41692, CVE-2025-41694, CVE-2025-41696, CVE-2025-41693

certvde.com/en/advisories/vde-

phoenixcontact.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-41694

Overview

  • Phoenix Contact
  • FL SWITCH 2005
09 Dec 2025
Published
09 Dec 2025
Updated
CVSS v3.1
MEDIUM (6.5)
EPSS
0.10%
KEV

Description

A low privileged remote attacker can run the webshell with an empty command containing whitespace. The server will then block until it receives more data, resulting in a DoS condition of the websserver.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-071
Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx Firmware

Multiple vulnerabilities have been identified in the FL SWITCH 2xxx firmware prior to version 3.50. Two of these (CVE-2025-41692 and CVE-2025-41696) enable an attacker to access the device's file system. Two other vulnerabilities (CVE-2025-41693 and CVE-2025-41694) are related to Denial of Service (DoS) attacks, which partly limit the device's functionality. Another vulnerability (CVE-2025-41697) allows an unauthenticated physical attacker to access a login shell via an undocumented UART port. Furthermore, there are multiple vulnerabilities relating to reflected cross-site scripting in the web-based management of the device. All vulnerabilities have been resolved in firmware version 3.50.
CVE-2025-41752, CVE-2025-41751, CVE-2025-41750, CVE-2025-41749, CVE-2025-41748, CVE-2025-41747, CVE-2025-41746, CVE-2025-41745, CVE-2025-41695, CVE-2025-41697, CVE-2025-41692, CVE-2025-41694, CVE-2025-41696, CVE-2025-41693

certvde.com/en/advisories/vde-

phoenixcontact.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-41696

Overview

  • Phoenix Contact
  • FL SWITCH 2005
09 Dec 2025
Published
09 Dec 2025
Updated
CVSS v3.1
MEDIUM (4.6)
EPSS
0.02%
KEV

Description

An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-071
Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx Firmware

Multiple vulnerabilities have been identified in the FL SWITCH 2xxx firmware prior to version 3.50. Two of these (CVE-2025-41692 and CVE-2025-41696) enable an attacker to access the device's file system. Two other vulnerabilities (CVE-2025-41693 and CVE-2025-41694) are related to Denial of Service (DoS) attacks, which partly limit the device's functionality. Another vulnerability (CVE-2025-41697) allows an unauthenticated physical attacker to access a login shell via an undocumented UART port. Furthermore, there are multiple vulnerabilities relating to reflected cross-site scripting in the web-based management of the device. All vulnerabilities have been resolved in firmware version 3.50.
CVE-2025-41752, CVE-2025-41751, CVE-2025-41750, CVE-2025-41749, CVE-2025-41748, CVE-2025-41747, CVE-2025-41746, CVE-2025-41745, CVE-2025-41695, CVE-2025-41697, CVE-2025-41692, CVE-2025-41694, CVE-2025-41696, CVE-2025-41693

certvde.com/en/advisories/vde-

phoenixcontact.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-41750

Overview

  • Phoenix Contact
  • FL SWITCH 2005
09 Dec 2025
Published
09 Dec 2025
Updated
CVSS v3.1
HIGH (7.1)
EPSS
0.08%
KEV

Description

An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-071
Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx Firmware

Multiple vulnerabilities have been identified in the FL SWITCH 2xxx firmware prior to version 3.50. Two of these (CVE-2025-41692 and CVE-2025-41696) enable an attacker to access the device's file system. Two other vulnerabilities (CVE-2025-41693 and CVE-2025-41694) are related to Denial of Service (DoS) attacks, which partly limit the device's functionality. Another vulnerability (CVE-2025-41697) allows an unauthenticated physical attacker to access a login shell via an undocumented UART port. Furthermore, there are multiple vulnerabilities relating to reflected cross-site scripting in the web-based management of the device. All vulnerabilities have been resolved in firmware version 3.50.
CVE-2025-41752, CVE-2025-41751, CVE-2025-41750, CVE-2025-41749, CVE-2025-41748, CVE-2025-41747, CVE-2025-41746, CVE-2025-41745, CVE-2025-41695, CVE-2025-41697, CVE-2025-41692, CVE-2025-41694, CVE-2025-41696, CVE-2025-41693

certvde.com/en/advisories/vde-

phoenixcontact.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-41745

Overview

  • Phoenix Contact
  • FL SWITCH 2005
09 Dec 2025
Published
09 Dec 2025
Updated
CVSS v3.1
HIGH (7.1)
EPSS
0.08%
KEV

Description

An XSS vulnerability in pxc_portCntr2.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-071
Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx Firmware

Multiple vulnerabilities have been identified in the FL SWITCH 2xxx firmware prior to version 3.50. Two of these (CVE-2025-41692 and CVE-2025-41696) enable an attacker to access the device's file system. Two other vulnerabilities (CVE-2025-41693 and CVE-2025-41694) are related to Denial of Service (DoS) attacks, which partly limit the device's functionality. Another vulnerability (CVE-2025-41697) allows an unauthenticated physical attacker to access a login shell via an undocumented UART port. Furthermore, there are multiple vulnerabilities relating to reflected cross-site scripting in the web-based management of the device. All vulnerabilities have been resolved in firmware version 3.50.
CVE-2025-41752, CVE-2025-41751, CVE-2025-41750, CVE-2025-41749, CVE-2025-41748, CVE-2025-41747, CVE-2025-41746, CVE-2025-41745, CVE-2025-41695, CVE-2025-41697, CVE-2025-41692, CVE-2025-41694, CVE-2025-41696, CVE-2025-41693

certvde.com/en/advisories/vde-

phoenixcontact.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-41695

Overview

  • Phoenix Contact
  • FL SWITCH 2005
09 Dec 2025
Published
09 Dec 2025
Updated
CVSS v3.1
HIGH (7.1)
EPSS
0.08%
KEV

Description

An XSS vulnerability in dyn_conn.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-071
Phoenix Contact: Multiple Vulnerabilities in FL SWITCH 2xxx Firmware

Multiple vulnerabilities have been identified in the FL SWITCH 2xxx firmware prior to version 3.50. Two of these (CVE-2025-41692 and CVE-2025-41696) enable an attacker to access the device's file system. Two other vulnerabilities (CVE-2025-41693 and CVE-2025-41694) are related to Denial of Service (DoS) attacks, which partly limit the device's functionality. Another vulnerability (CVE-2025-41697) allows an unauthenticated physical attacker to access a login shell via an undocumented UART port. Furthermore, there are multiple vulnerabilities relating to reflected cross-site scripting in the web-based management of the device. All vulnerabilities have been resolved in firmware version 3.50.
CVE-2025-41752, CVE-2025-41751, CVE-2025-41750, CVE-2025-41749, CVE-2025-41748, CVE-2025-41747, CVE-2025-41746, CVE-2025-41745, CVE-2025-41695, CVE-2025-41697, CVE-2025-41692, CVE-2025-41694, CVE-2025-41696, CVE-2025-41693

certvde.com/en/advisories/vde-

phoenixcontact.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 7h ago
Showing 51 to 59 of 59 CVEs