CVE-2025-41745

7.1 HIGH

Cross-Site Scripting

📋 TL;DR

An unauthenticated cross-site scripting (XSS) vulnerability in pxc_portCntr2.php allows attackers to trick authenticated users into sending malicious POST requests that modify device configuration parameters via the web-based management interface. This affects systems running vulnerable versions of the software with the web interface exposed. The vulnerability does not grant system-level access or session hijacking capabilities due to httpOnly cookie protection.

💻 Affected Systems

Products:

• Software using pxc_portCntr2.php component

Versions: Unknown - check vendor advisory

Operating Systems: All platforms running vulnerable software

Default Config Vulnerable: ⚠️ Yes

Notes: Requires web-based management interface to be accessible and users to be authenticated.

📦 What is this software?

Fl Nat 2008 Firmware by Phoenixcontact

View all CVEs affecting Fl Nat 2008 Firmware →

Fl Nat 2208 Firmware by Phoenixcontact

View all CVEs affecting Fl Nat 2208 Firmware →

Fl Nat 2304 2gc 2sfp Firmware by Phoenixcontact

View all CVEs affecting Fl Nat 2304 2gc 2sfp Firmware →

Fl Switch 2005 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2005 Firmware →

Fl Switch 2008 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2008 Firmware →

Fl Switch 2008f Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2008f Firmware →

Fl Switch 2016 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2016 Firmware →

Fl Switch 2105 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2105 Firmware →

Fl Switch 2108 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2108 Firmware →

Fl Switch 2116 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2116 Firmware →

Fl Switch 2204 2tc 2sfx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2204 2tc 2sfx Firmware →

Fl Switch 2205 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2205 Firmware →

Fl Switch 2206 2fx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2206 2fx Firmware →

Fl Switch 2206 2fx Sm Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2206 2fx Sm Firmware →

Fl Switch 2206 2fx Sm St Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2206 2fx Sm St Firmware →

Fl Switch 2206 2fx St Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2206 2fx St Firmware →

Fl Switch 2206 2sfx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2206 2sfx Firmware →

Fl Switch 2206 2sfx Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2206 2sfx Pn Firmware →

Fl Switch 2206c 2fx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2206c 2fx Firmware →

Fl Switch 2207 Fx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2207 Fx Firmware →

Fl Switch 2207 Fx Sm Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2207 Fx Sm Firmware →

Fl Switch 2208 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2208 Firmware →

Fl Switch 2208 Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2208 Pn Firmware →

Fl Switch 2208c Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2208c Firmware →

Fl Switch 2212 2tc 2sfx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2212 2tc 2sfx Firmware →

Fl Switch 2214 2fx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2214 2fx Firmware →

Fl Switch 2214 2fx Sm Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2214 2fx Sm Firmware →

Fl Switch 2214 2sfx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2214 2sfx Firmware →

Fl Switch 2214 2sfx Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2214 2sfx Pn Firmware →

Fl Switch 2216 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2216 Firmware →

Fl Switch 2216 Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2216 Pn Firmware →

Fl Switch 2303 8sp1 by Phoenixcontact

View all CVEs affecting Fl Switch 2303 8sp1 →

Fl Switch 2304 2gc 2sfp Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2304 2gc 2sfp Firmware →

Fl Switch 2306 2sfp Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2306 2sfp Firmware →

Fl Switch 2306 2sfp Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2306 2sfp Pn Firmware →

Fl Switch 2308 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2308 Firmware →

Fl Switch 2308 Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2308 Pn Firmware →

Fl Switch 2312 2gc 2sfp Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2312 2gc 2sfp Firmware →

Fl Switch 2314 2sfp Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2314 2sfp Firmware →

Fl Switch 2314 2sfp Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2314 2sfp Pn Firmware →

Fl Switch 2316 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2316 Firmware →

Fl Switch 2316 Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2316 Pn Firmware →

Fl Switch 2316\/k1 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2316\/k1 Firmware →

Fl Switch 2404 2tc 2sfx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2404 2tc 2sfx Firmware →

Fl Switch 2406 2sfx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2406 2sfx Firmware →

Fl Switch 2406 2sfx Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2406 2sfx Pn Firmware →

Fl Switch 2408 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2408 Firmware →

Fl Switch 2408 Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2408 Pn Firmware →

Fl Switch 2412 2tc 2sfx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2412 2tc 2sfx Firmware →

Fl Switch 2414 2sfx Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2414 2sfx Firmware →

Fl Switch 2414 2sfx Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2414 2sfx Pn Firmware →

Fl Switch 2416 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2416 Firmware →

Fl Switch 2416 Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2416 Pn Firmware →

Fl Switch 2504 2gc 2sfp Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2504 2gc 2sfp Firmware →

Fl Switch 2506 2sfp Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2506 2sfp Firmware →

Fl Switch 2506 2sfp Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2506 2sfp Pn Firmware →

Fl Switch 2506 2sfp\/k1 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2506 2sfp\/k1 Firmware →

Fl Switch 2508 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2508 Firmware →

Fl Switch 2508 Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2508 Pn Firmware →

Fl Switch 2508\/k1 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2508\/k1 Firmware →

Fl Switch 2512 2gc 2sfp Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2512 2gc 2sfp Firmware →

Fl Switch 2514 2sfp Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2514 2sfp Firmware →

Fl Switch 2514 2sfp Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2514 2sfp Pn Firmware →

Fl Switch 2516 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2516 Firmware →

Fl Switch 2516 Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2516 Pn Firmware →

Fl Switch 2608 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2608 Firmware →

Fl Switch 2608 Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2608 Pn Firmware →

Fl Switch 2708 Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2708 Firmware →

Fl Switch 2708 Pn Firmware by Phoenixcontact

View all CVEs affecting Fl Switch 2708 Pn Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate device configuration to disrupt operations, change network settings, or enable further attacks by modifying authorized parameters.

🟠

Likely Case

Attackers trick users into changing specific configuration settings, potentially causing service disruption or misconfiguration.

🟢

If Mitigated

With proper input validation and output encoding, the attack would fail to execute malicious scripts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires social engineering to trick authenticated users into interacting with malicious content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://certvde.com/de/advisories/VDE-2025-071

Restart Required: No

Instructions:

1. Monitor vendor for patch release. 2. Apply patch when available. 3. Verify fix by testing XSS payloads.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement proper input validation and output encoding in pxc_portCntr2.php

Copy

Not applicable - code modification required

Web Application Firewall (WAF)

all

Deploy WAF with XSS protection rules

Copy

Not applicable - configuration required

🧯 If You Can't Patch

• Restrict access to web management interface to trusted networks only
• Implement Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Copy

Test pxc_portCntr2.php endpoint with XSS payloads and check if scripts execute

Check Version:

Copy

Check software version via web interface or system documentation

Verify Fix Applied:

Copy

Retest with XSS payloads after applying fixes to confirm scripts no longer execute

📡 Detection & Monitoring

Log Indicators:

• Unusual POST requests to pxc_portCntr2.php with script tags or encoded payloads
• Configuration changes from unexpected sources

Network Indicators:

• HTTP requests containing XSS patterns to vulnerable endpoint
• External sources triggering authenticated user actions

SIEM Query:

Copy

source="web_logs" AND uri="/pxc_portCntr2.php" AND (content CONTAINS "<script>" OR content CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-41745

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.1% exploit probability (26.7th percentile)

Published: December 9, 2025

Last Updated: December 19, 2025

🔗 References

• https://certvde.com/de/advisories/VDE-2025-071 Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-41745, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)

CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)

CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)