CVE-2025-64054

CriticalPublic PoC

Published: 05 December 2025

Published

05 December 2025

Modified

09 January 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0014 33.0th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of POST request inputs at the vulnerable /cgi-bin/webconfig endpoint to block malicious XSS payloads before processing.

SI-15 Information Output Filtering good match

prevent

Mandates filtering of reflected outputs from the upload endpoint to prevent injected scripts from executing in the victim's browser.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and patching of the specific XSS flaw in Fanvil x210 firmware version 2.12.20.

Security SummaryAI

CVE-2025-64054 is a reflected Cross-Site Scripting (XSS) vulnerability affecting Fanvil x210 devices running firmware version 2.12.20. The flaw exists in the /cgi-bin/webconfig?page=upload&action=submit endpoint, where a crafted POST request can inject malicious scripts. It is classified under CWE-79 and carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for high-impact consequences across confidentiality, integrity, and availability.

Unauthenticated attackers on the network can exploit this vulnerability by tricking users into interacting with a maliciously crafted POST request, such as via a phishing link or social engineering. Successful exploitation leads to reflected XSS, enabling denial of service on the targeted device or, in some cases, potential execution of arbitrary commands within the victim's browser context, leveraging the changed scope for broader impact.

Mitigation details and advisories are available from the vendor at http://fanvil.com and in the SpikeReply advisory at https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64054.md, published on 2025-12-05. Security practitioners should consult these resources for patching instructions or workarounds specific to Fanvil x210 firmware updates.

Details

CWE(s): CWE-79

Affected Products

fanvil

x210 firmware

2.12.20

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Reflected XSS vulnerability in a public-facing web endpoint (/cgi-bin/webconfig) on Fanvil x210 network device enables unauthenticated exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://fanvil.com
Product · cve@mitre.org
https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64054.md
Exploit, Third Party Advisory · cve@mitre.org