CVE-2025-26065
BaseFortify
Publication date: 2025-08-04
Last updated on: 2025-11-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| intelbras | rx_1500_firmware | 2.2.9 |
| intelbras | rx_1500 | * |
| intelbras | rx_3000_firmware | 1.0.11 |
| intelbras | rx_3000 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-26065 is a cross-site scripting (XSS) vulnerability in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 routers. It allows an authenticated attacker to inject malicious JavaScript code into the Wi-Fi guest network name (SSID) fields via crafted SOAP requests to the router's management interface. This injected code is then executed when the router's status page is accessed, enabling persistent XSS attacks due to improper input validation and lack of sanitization in the SSID fields. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with authentication to execute arbitrary scripts in the router's web interface, potentially leading to full administrative control over the router. This includes maintaining persistence via injected scripts, unauthorized modification of router settings, and possibly accessing sensitive data if combined with other vulnerabilities. Such control can disrupt network operations, compromise connected devices, and expose private network information. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the router's guest Wi-Fi network name (SSID) fields accept and render injected JavaScript code. Specifically, an authenticated user can attempt to inject crafted payloads such as `<script>alert(1)</script>` for the 2.4GHz guest network or `<script>alert(2)</script>` for the 5GHz guest network via SOAP requests to the router's HNAP1 API endpoint using the `SetMultipleActions` action. Detection involves sending these crafted SOAP XML payloads and then accessing the router's status page to see if the script executes, indicating persistent XSS. Commands would involve crafting and sending SOAP requests to the router's management interface, for example using curl or a SOAP client to POST the XML payload to the router's API endpoint. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring proper sanitization of all user-supplied input, especially the guest network SSID fields, by converting special characters to HTML entities and applying semantic filtering to enforce expected data formats. Additionally, strengthen session management and access control mechanisms to restrict sensitive functionalities strictly to authenticated and authorized users, with all permission checks enforced server-side. Avoid using vulnerable firmware versions (Intelbras RX1500 v2.2.9 and RX3000 v1.0.11) and apply any available patches or updates from the vendor. Limit administrative access to trusted users and networks until a fix is applied. [1]