Luxul XWR-600 Web Administration cross site scripting
Platform
other
Component
web-administration-interface
Opgelost in
4.0.1
4.0.2
CVE-2025-15505 describes a cross-site scripting (XSS) vulnerability affecting the Web Administration Interface of Luxul XWR-600 devices. This vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability impacts versions 4.0.0 through 4.0.1 and has been publicly disclosed with a proof-of-concept available. Luxul has not yet released a technical statement.
Impact en Aanvalsscenarioswordt vertaald…
Successful exploitation of CVE-2025-15505 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Luxul XWR-600's web interface. This can be leveraged to steal session cookies, redirect users to malicious websites, or deface the administration interface. Given the device's role as a network router, a compromised administrator interface could provide an attacker with access to sensitive network configuration data, potentially enabling further attacks against internal resources. The public availability of a proof-of-concept significantly increases the risk of exploitation.
Uitbuitingscontextwordt vertaald…
CVE-2025-15505 has been publicly disclosed and a proof-of-concept is available, indicating a high probability of exploitation. The vulnerability is tracked on the NVD and CISA databases. The lack of a response from Luxul regarding a technical statement raises concerns about the timeliness of a patch. The EPSS score is likely to be medium or high given the public exploit and lack of vendor response.
Wie Loopt Risicowordt vertaald…
Organizations using Luxul XWR-600 routers, particularly those relying on the Guest Network feature for external access, are at risk. Shared hosting environments where multiple users share the same router configuration are also vulnerable. Legacy configurations with default passwords or outdated firmware are especially susceptible.
Detectiestappenwordt vertaald…
• windows / supply-chain: Monitor PowerShell execution for suspicious commands related to network configuration or web interface access. Check scheduled tasks for unusual scripts.
• linux / server: Examine system logs (journalctl) for unusual HTTP requests targeting the web administration interface. Use lsof to identify processes accessing the web interface.
• generic web: Use curl to test the Guest Network/Wireless Profile SSID parameter for XSS vulnerabilities. Inspect access and error logs for suspicious requests.
• database (mysql, redis, mongodb, postgresql): N/A - This vulnerability does not directly impact databases.
• other: Monitor network traffic for unusual HTTP requests to the XWR-600's web interface, particularly those involving the Guest Network/Wireless Profile SSID parameter.
Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Hoog — beheerder of geprivilegieerd account vereist.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
While a patch is not yet available from Luxul, immediate mitigation steps are crucial. Consider temporarily disabling the Guest Network feature if it's not essential. Implement strict input validation and output encoding on the Web Administration Interface to prevent XSS attacks. Web application firewalls (WAFs) can be configured to filter out malicious JavaScript payloads targeting the SSID parameter. Monitor network traffic for suspicious activity and unusual requests to the web interface. After a patch is released by Luxul, promptly upgrade the XWR-600 to the fixed version and verify the fix by attempting to inject a simple XSS payload into the Guest Network/Wireless Profile SSID field.
Hoe te verhelpen
Werk de firmware van de Luxul XWR-600 bij naar een versie later dan 4.0.1, indien beschikbaar. Indien er geen updates beschikbaar zijn, schakel dan de gastnetwerkfunctie uit of vermijd het gebruik van speciale tekens in de SSID van het gastnetwerk.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-15505 — XSS in Luxul XWR-600?
CVE-2025-15505 is a cross-site scripting (XSS) vulnerability in the Web Administration Interface of Luxul XWR-600 routers, allowing attackers to inject malicious scripts.
Am I affected by CVE-2025-15505 in Luxul XWR-600?
You are affected if you are using a Luxul XWR-600 router running versions 4.0.0 through 4.0.1.
How do I fix CVE-2025-15505 in Luxul XWR-600?
Upgrade to a patched version of the firmware when available from Luxul. Until then, disable the Guest Network feature and implement WAF rules.
Is CVE-2025-15505 being actively exploited?
A public proof-of-concept exists, indicating a high probability of active exploitation.
Where can I find the official Luxul advisory for CVE-2025-15505?
Check the Luxul website for security advisories, although a technical statement is currently unavailable.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.