CVE-2025-41697
CVE-2025-41697 is a medium-severity vulnerability in Phoenixcontact Fl Switch 2708 Pn Firmware with a CVSS 3.x base score of 6.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1299.
Key facts
- Severity: Medium (CVSS 3.x base score 6.8)
- EPSS exploit prediction: 0% (11th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-201893
- Weakness: CWE-1299
- Affected product: Phoenixcontact Fl Switch 2708 Pn Firmware
- Published:
- Last modified:
Description
An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g. with the credentials obtained from CVE-2025-41692.
Frequently asked questions
- What is CVE-2025-41697?
- An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g. with the credentials obtained from CVE-2025-41692.
- How severe is CVE-2025-41697?
- CVE-2025-41697 has a CVSS 3.x base score of 6.8, rated medium severity. It is exploitable over physical access with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-41697 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (11th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-41697?
- CVE-2025-41697 primarily affects Phoenixcontact Fl Switch 2708 Pn Firmware. In total, 69 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-41697?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-41697 have an EU (EUVD) identifier?
- Yes. CVE-2025-41697 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-201893.
- When was CVE-2025-41697 published?
- CVE-2025-41697 was published on 2025-12-09 and last updated on 2026-06-17.
References
Affected products (69)
- cpe:2.3:o:phoenixcontact:fl_switch_2708_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2708_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2608_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2608_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2516_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2516_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2514-2sfp_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2514-2sfp_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2512-2gc-2sfp_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2508_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2508\/k1_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2508_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2506-2sfp_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2506-2sfp\/k1_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2506-2sfp_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2504-2gc-2sfp_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2416_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2416_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2414-2sfx_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2414-2sfx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2412-2tc-2sfx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2408_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2408_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2406-2sfx_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2406-2sfx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2404-2tc-2sfx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2316_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2316\/k1_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2316_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2314-2sfp_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2314-2sfp_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2312-2gc-2sfp_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2308_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2308_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2306-2sfp_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2306-2sfp_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2304-2gc-2sfp_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2303-8sp1:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2216_pn_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:fl_switch_2216_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Phoenixcontact Fl Switch 2708 Pn Firmware
- CVE-2022-22509 — High (CVSS 8.8): In Phoenix Contact FL SWITCH Series 2xxx in version 3.00 an incorrect privilege assignment allows an low privileged…
- CVE-2025-41752 — High (CVSS 7.1): An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated…
- CVE-2025-41751 — High (CVSS 7.1): An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated…
- CVE-2025-41750 — High (CVSS 7.1): An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated…
- CVE-2025-41749 — High (CVSS 7.1): An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user…
- CVE-2025-41748 — High (CVSS 7.1): An XSS vulnerability in pxc_Dot1xCfg.php can be used by an unauthenticated remote attacker to trick an authenticated…
All CVEs affecting Phoenixcontact Fl Switch 2708 Pn Firmware →
Other CWE-1299 vulnerabilities
- CVE-2025-35998 — High (CVSS 7.9): Missing protection mechanism for alternate hardware interface in the Intel(R) Quick Assist Technology for some Intel(R)…
- CVE-2025-1073 — High (CVSS 7.5): Panasonic IR Control Hub (IR Blaster) versions 1.17 and earlier may allow an attacker with physical access to load…
- CVE-2024-47944 — Medium (CVSS 6.8): The device directly executes .patch firmware upgrade files on a USB stick without any prior authentication in the admin…