Overview
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Fanvil x210 devices, specifically affecting version 2.12.20. This vulnerability, tracked as CVE-2025-64054, allows attackers to inject malicious scripts into the web interface of the phone, potentially leading to denial-of-service conditions or even arbitrary command execution.
Technical Details
The vulnerability resides within the /cgi-bin/webconfig?page=upload&action=submit endpoint. An attacker can craft a malicious POST request to this endpoint, injecting JavaScript code within a parameter. Due to inadequate input sanitization, the injected script is reflected back to the user’s browser when the page is rendered, leading to the execution of the malicious script. This is a classic example of a reflected XSS attack.
Example of a malicious POST request (illustrative):
POST /cgi-bin/webconfig?page=upload&action=submit HTTP/1.1
Host: vulnerable-fanvil-x210
Content-Type: application/x-www-form-urlencoded
param1=<script>alert('XSS Vulnerability!')</script>¶m2=value2
CVSS Analysis
Currently, the CVSS score is marked as N/A. While the severity is also listed as N/A, XSS vulnerabilities can pose a significant risk. A thorough CVSS evaluation should be conducted to accurately assess the impact of this vulnerability, taking into account factors like attack complexity and scope.
Possible Impact
Successful exploitation of this XSS vulnerability could have several detrimental consequences:
- Denial of Service (DoS): Attackers can inject scripts that disrupt the normal functionality of the phone’s web interface, leading to a denial of service.
- Arbitrary Command Execution (Potential): Depending on the privileges of the user accessing the web interface and the configuration of the phone, an attacker might be able to execute arbitrary commands on the device.
- Data Theft: The attacker might be able to steal sensitive information such as login credentials or configuration data.
- Malware Distribution: The compromised phone could be used to distribute malware to other devices on the network.
Mitigation or Patch Steps
The following steps are recommended to mitigate the risk associated with CVE-2025-64054:
- Apply the Latest Firmware Update: Check the Fanvil website for the latest firmware update for the x210 model. This update should include a patch that addresses the XSS vulnerability.
- Implement Input Validation: Ensure that all input fields on the web interface are properly validated to prevent the injection of malicious scripts.
- Use Output Encoding: Encode all output that is displayed on the web interface to prevent the execution of any injected scripts.
- Restrict Access: Limit access to the web interface of the phone to only authorized users.
