CVE-2025-35996 Overview
A stored cross-site scripting (XSS) vulnerability exists in KUNBUS PiCtory version 2.11.1 and earlier. The vulnerability allows an authenticated remote attacker to craft a specially designed filename that can be stored via API endpoints. When this malicious filename is later transmitted to the client to display configuration files, the lack of proper escape or sanitization enables the filename to be executed as an HTML script tag, resulting in a cross-site scripting attack.
Critical Impact
Authenticated attackers can inject malicious scripts via crafted filenames, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of legitimate users within industrial control environments.
Affected Products
- KUNBUS PiCtory version 2.11.1 and earlier
- KUNBUS Revolution Pi industrial PCs running vulnerable PiCtory versions
Discovery Timeline
- 2025-05-01 - CVE-2025-35996 published to NVD
- 2025-05-02 - Last updated in NVD database
Technical Details for CVE-2025-35996
Vulnerability Analysis
This vulnerability is classified under CWE-97 (Improper Neutralization of Server-Side Includes (SSI) Within a Web Page), though it manifests as a stored XSS attack vector. The vulnerability exists in the way PiCtory handles filenames submitted through its API endpoints. When an authenticated user creates or modifies configuration files, the application stores the filename without proper sanitization.
The attack targets industrial control systems running KUNBUS Revolution Pi hardware, making this particularly concerning for operational technology (OT) environments. The network-accessible nature of the vulnerability allows exploitation from any authenticated position on the network with low attack complexity.
Root Cause
The root cause of this vulnerability is the absence of proper input sanitization and output encoding for filenames processed by PiCtory's API endpoints. When filenames are stored and later rendered in the user interface to display configuration file listings, the application fails to escape HTML special characters. This allows attackers to embed JavaScript code within filenames that executes when the configuration file list is rendered in a victim's browser.
Attack Vector
The attack requires an authenticated attacker with access to the PiCtory web interface. The attacker leverages API endpoints that accept filename parameters to store a maliciously crafted filename containing JavaScript payload. When another user (or the same user) navigates to view the list of configuration files, the browser interprets the malicious filename as executable script content rather than plain text.
The exploitation path involves:
- Authenticating to the PiCtory web interface
- Creating or modifying a configuration file with a filename containing embedded script tags
- Waiting for a victim to view the configuration file list, triggering script execution in their browser context
Since no verified code examples are available, technical exploitation details can be found in the CISA ICS Advisory ICSA-25-121-01.
Detection Methods for CVE-2025-35996
Indicators of Compromise
- Configuration filenames containing HTML script tags or JavaScript event handlers (e.g., <script>, onerror=, onload=)
- API requests to PiCtory endpoints with unusual filename patterns containing encoded special characters
- Web server logs showing filename parameters with URL-encoded angle brackets (%3C, %3E)
Detection Strategies
- Monitor PiCtory API logs for filename parameters containing HTML/JavaScript syntax
- Implement web application firewall (WAF) rules to detect XSS payloads in API requests
- Review configuration file directory listings for filenames with suspicious character patterns
- Deploy endpoint detection to identify JavaScript execution from unexpected contexts within PiCtory sessions
Monitoring Recommendations
- Enable detailed logging on PiCtory web interfaces to capture all API interactions with filename parameters
- Implement network monitoring for anomalous HTTP traffic patterns targeting PiCtory endpoints
- Configure alerting for failed authentication attempts followed by successful authentication from the same source
- Monitor for unusual session activity patterns that may indicate account compromise from XSS exploitation
How to Mitigate CVE-2025-35996
Immediate Actions Required
- Update KUNBUS PiCtory to the latest version from the Pictory Package Repository
- Restrict network access to PiCtory interfaces to authorized personnel only
- Implement network segmentation to isolate industrial control systems from general network traffic
- Review existing configuration files for suspicious filenames and remove or rename any malicious entries
Patch Information
KUNBUS has addressed this vulnerability in versions released after 2.11.1. Administrators should download the latest PiCtory package from the official Pictory Package Repository and follow the vendor's upgrade procedures. For detailed guidance, refer to the CISA ICS Advisory ICSA-25-121-01.
Workarounds
- Implement strict access controls limiting PiCtory authentication to essential personnel only
- Deploy a web application firewall (WAF) with XSS filtering rules in front of PiCtory interfaces
- Use browser-based XSS protection extensions for users who must access PiCtory before patching
- Consider temporarily disabling network access to PiCtory until patching can be completed
# Network isolation example using iptables
# Restrict PiCtory access to specific management subnet
iptables -A INPUT -p tcp --dport 80 -s 192.168.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 192.168.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
