CVE-2025-25612
Published: 17 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-25612 is a Cross-Site Scripting (XSS) vulnerability (CWE-79) in FS Inc's S3150-8T2F network switch, affecting versions prior to S3150-8T2F_2.2.0D_135103. The flaw exists in the Time Range Configuration functionality of the administration interface, where the "Time Range Name" field fails to properly sanitize user input, allowing attackers to inject malicious JavaScript. Published on 2025-03-17, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network by submitting malicious JavaScript in the Time Range Name field. Once saved, the injected script executes in the browser of any user accessing the affected page, including administrators, provided the victim interacts with the page (UI:R). This enables arbitrary script execution, potentially leading to high confidentiality, integrity, and availability impacts, such as session hijacking or data theft.
Mitigation requires upgrading to S3150-8T2F_2.2.0D_135103 or later. Additional details are available in the vendor advisory at http://fs.com and the GitHub repository at https://github.com/secmuzz/CVE-2025-25612/.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in the web admin interface allows injection and execution of arbitrary JavaScript in victims' browsers (including higher-privileged admins), directly enabling browser session hijacking and related data theft as explicitly noted in the CVE description.