Vulnérabilité de Cross-Site Scripting (XSS) dans l'administration web du Luxul XWR-600
Plateforme
other
Composant
web-administration-interface
Corrigé dans
4.0.1
4.0.2
CVE-2025-15505 describes a cross-site scripting (XSS) vulnerability affecting the Web Administration Interface of Luxul XWR-600 devices. This vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability impacts versions 4.0.0 through 4.0.1 and has been publicly disclosed with a proof-of-concept available. Luxul has not yet released a technical statement.
Impact et Scénarios d'Attaquetraduction en cours…
Successful exploitation of CVE-2025-15505 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Luxul XWR-600's web interface. This can be leveraged to steal session cookies, redirect users to malicious websites, or deface the administration interface. Given the device's role as a network router, a compromised administrator interface could provide an attacker with access to sensitive network configuration data, potentially enabling further attacks against internal resources. The public availability of a proof-of-concept significantly increases the risk of exploitation.
Contexte d'Exploitationtraduction en cours…
CVE-2025-15505 has been publicly disclosed and a proof-of-concept is available, indicating a high probability of exploitation. The vulnerability is tracked on the NVD and CISA databases. The lack of a response from Luxul regarding a technical statement raises concerns about the timeliness of a patch. The EPSS score is likely to be medium or high given the public exploit and lack of vendor response.
Qui Est à Risquetraduction en cours…
Organizations using Luxul XWR-600 routers, particularly those relying on the Guest Network feature for external access, are at risk. Shared hosting environments where multiple users share the same router configuration are also vulnerable. Legacy configurations with default passwords or outdated firmware are especially susceptible.
Étapes de Détectiontraduction en cours…
• windows / supply-chain: Monitor PowerShell execution for suspicious commands related to network configuration or web interface access. Check scheduled tasks for unusual scripts.
• linux / server: Examine system logs (journalctl) for unusual HTTP requests targeting the web administration interface. Use lsof to identify processes accessing the web interface.
• generic web: Use curl to test the Guest Network/Wireless Profile SSID parameter for XSS vulnerabilities. Inspect access and error logs for suspicious requests.
• database (mysql, redis, mongodb, postgresql): N/A - This vulnerability does not directly impact databases.
• other: Monitor network traffic for unusual HTTP requests to the XWR-600's web interface, particularly those involving the Guest Network/Wireless Profile SSID parameter.
Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Élevé — un compte administrateur ou privilégié est requis.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Aucun — aucun impact sur la confidentialité.
- Integrity
- Faible — l'attaquant peut modifier certaines données avec un impact limité.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
While a patch is not yet available from Luxul, immediate mitigation steps are crucial. Consider temporarily disabling the Guest Network feature if it's not essential. Implement strict input validation and output encoding on the Web Administration Interface to prevent XSS attacks. Web application firewalls (WAFs) can be configured to filter out malicious JavaScript payloads targeting the SSID parameter. Monitor network traffic for suspicious activity and unusual requests to the web interface. After a patch is released by Luxul, promptly upgrade the XWR-600 to the fixed version and verify the fix by attempting to inject a simple XSS payload into the Guest Network/Wireless Profile SSID field.
Comment corriger
Mettre à jour le firmware du Luxul XWR-600 vers une version ultérieure à la 4.0.1, si disponible. Si aucune mise à jour n'est disponible, désactiver la fonction de réseau invité ou éviter d'utiliser des caractères spéciaux dans le SSID du réseau invité.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-15505 — XSS in Luxul XWR-600?
CVE-2025-15505 is a cross-site scripting (XSS) vulnerability in the Web Administration Interface of Luxul XWR-600 routers, allowing attackers to inject malicious scripts.
Am I affected by CVE-2025-15505 in Luxul XWR-600?
You are affected if you are using a Luxul XWR-600 router running versions 4.0.0 through 4.0.1.
How do I fix CVE-2025-15505 in Luxul XWR-600?
Upgrade to a patched version of the firmware when available from Luxul. Until then, disable the Guest Network feature and implement WAF rules.
Is CVE-2025-15505 being actively exploited?
A public proof-of-concept exists, indicating a high probability of active exploitation.
Where can I find the official Luxul advisory for CVE-2025-15505?
Check the Luxul website for security advisories, although a technical statement is currently unavailable.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.