CVE-2025-66359 Overview
CVE-2025-66359 is a cross-site scripting (XSS) vulnerability affecting Logpoint SIEM versions prior to 7.7.0. The flaw stems from insufficient input validation and a lack of output escaping across multiple components of the product. An attacker can craft malicious input that executes in the browser context of a Logpoint user who interacts with the affected component. Successful exploitation requires user interaction and can lead to session compromise, content manipulation, or execution of arbitrary script in the victim's authenticated session. The vulnerability is categorized under CWE-79.
Critical Impact
Attackers can inject arbitrary JavaScript into the Logpoint SIEM web interface, potentially hijacking analyst sessions and manipulating security telemetry views.
Affected Products
- Logpoint SIEM versions prior to 7.7.0
- Multiple components within the Logpoint web interface
- All deployments exposing the Logpoint UI to user interaction
Discovery Timeline
- 2025-11-28 - CVE-2025-66359 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-66359
Vulnerability Analysis
The vulnerability is a stored or reflected cross-site scripting flaw within the Logpoint SIEM web application. Multiple components fail to validate user-supplied input and do not escape output rendered back to the browser. This combination allows an attacker to inject HTML or JavaScript that the browser interprets as legitimate application content.
The scope change indicated by the CVSS vector suggests injected scripts can affect resources beyond the vulnerable component itself. Because Logpoint SIEM serves as a security operations console, script execution in an analyst's browser can expose session tokens, dashboards, and query results. The EPSS probability of 0.16% suggests limited observed exploitation activity, but the flaw remains reachable over the network.
Root Cause
The root cause is twofold. First, input received by multiple components is not sanitized against script payloads before being stored or reflected. Second, the application fails to apply contextual output encoding when rendering that data in HTML, attribute, or script contexts. Without proper encoding, characters such as <, >, ", and ' retain their syntactic meaning in the browser.
Attack Vector
An attacker delivers a crafted URL or payload that triggers when a Logpoint user visits the affected page or interacts with a malicious link. User interaction is required, which aligns with common reflected XSS delivery through phishing. Once the payload executes, it runs with the privileges of the authenticated user in the Logpoint web session. The vulnerability mechanism is described in the Logpoint XSS Vulnerability Advisory; no public proof-of-concept code is available.
Detection Methods for CVE-2025-66359
Indicators of Compromise
- Unexpected <script>, onerror=, or javascript: payloads in Logpoint request logs or stored fields
- Outbound HTTP requests from analyst browsers to unfamiliar domains shortly after opening Logpoint dashboards
- Anomalous session activity or API calls originating from authenticated analyst accounts
Detection Strategies
- Inspect web server and reverse-proxy logs for URL parameters or POST bodies containing HTML control characters and script keywords targeting Logpoint endpoints
- Enable and review Content Security Policy (CSP) violation reports from the Logpoint web interface
- Correlate authenticated Logpoint user activity with browser-side telemetry to identify unexpected script execution
Monitoring Recommendations
- Monitor Logpoint access logs for requests containing encoded XSS patterns such as %3Cscript%3E or onerror%3D
- Alert on Logpoint user sessions that exhibit sudden changes in source IP or user-agent within short timeframes
- Track administrative and configuration changes made through the Logpoint UI following user interaction with external links
How to Mitigate CVE-2025-66359
Immediate Actions Required
- Upgrade Logpoint SIEM to version 7.7.0 or later as directed by the vendor advisory
- Restrict access to the Logpoint web interface to trusted networks and administrative jump hosts
- Instruct analysts to avoid clicking untrusted links while authenticated to the Logpoint console
Patch Information
Logpoint has addressed the vulnerability in version 7.7.0. Refer to the Logpoint XSS Vulnerability Advisory for upgrade instructions and component-level remediation details.
Workarounds
- Enforce a strict Content Security Policy on the reverse proxy fronting Logpoint to limit inline script execution
- Require analysts to use dedicated browsers or profiles for Logpoint access, isolating sessions from general web browsing
- Apply network segmentation so the Logpoint UI is only reachable through a controlled administrative VPN
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

