Platform
other
Component
web-administration-interface
Fixed in
4.0.1
4.0.2
CVE-2025-15505 describes a cross-site scripting (XSS) vulnerability affecting the Web Administration Interface of Luxul XWR-600 devices. This vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability impacts versions 4.0.0 through 4.0.1 and has been publicly disclosed with a proof-of-concept available. Luxul has not yet released a technical statement.
Successful exploitation of CVE-2025-15505 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Luxul XWR-600's web interface. This can be leveraged to steal session cookies, redirect users to malicious websites, or deface the administration interface. Given the device's role as a network router, a compromised administrator interface could provide an attacker with access to sensitive network configuration data, potentially enabling further attacks against internal resources. The public availability of a proof-of-concept significantly increases the risk of exploitation.
CVE-2025-15505 has been publicly disclosed and a proof-of-concept is available, indicating a high probability of exploitation. The vulnerability is tracked on the NVD and CISA databases. The lack of a response from Luxul regarding a technical statement raises concerns about the timeliness of a patch. The EPSS score is likely to be medium or high given the public exploit and lack of vendor response.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
While a patch is not yet available from Luxul, immediate mitigation steps are crucial. Consider temporarily disabling the Guest Network feature if it's not essential. Implement strict input validation and output encoding on the Web Administration Interface to prevent XSS attacks. Web application firewalls (WAFs) can be configured to filter out malicious JavaScript payloads targeting the SSID parameter. Monitor network traffic for suspicious activity and unusual requests to the web interface. After a patch is released by Luxul, promptly upgrade the XWR-600 to the fixed version and verify the fix by attempting to inject a simple XSS payload into the Guest Network/Wireless Profile SSID field.
Update the Luxul XWR-600 firmware to a version later than 4.0.1, if available. If no updates are available, disable the guest network function or avoid using special characters in the guest network SSID.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15505 is a cross-site scripting (XSS) vulnerability in the Web Administration Interface of Luxul XWR-600 routers, allowing attackers to inject malicious scripts.
You are affected if you are using a Luxul XWR-600 router running versions 4.0.0 through 4.0.1.
Upgrade to a patched version of the firmware when available from Luxul. Until then, disable the Guest Network feature and implement WAF rules.
A public proof-of-concept exists, indicating a high probability of active exploitation.
Check the Luxul website for security advisories, although a technical statement is currently unavailable.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.