CVE-2025-10546 - Vulnerability Details - OpenCVE

This vulnerability exist in PPC 2K15X Router, due to improper input validation for the Common Gateway Interface (CGI) parameters at its web management portal. A remote attacker could exploit this vulnerability by injecting malicious JavaScript into the vulnerable parameter, leading to a reflected Cross-Site Scripting (XSS) attack on the targeted system.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Fixes

Solution

Upgrade PPC 2K15X Router to firmware version V2.3.24

Workaround

i. Disable remote management ii. Restrict admin access to trusted LAN devices only iii. Avoid accessing the management UI via untrusted links

References

Link	Providers
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0215

History

Tue, 16 Sep 2025 12:45:00 +0000

Type	Values Removed	Values Added
Description		This vulnerability exist in PPC 2K15X Router, due to improper input validation for the Common Gateway Interface (CGI) parameters at its web management portal. A remote attacker could exploit this vulnerability by injecting malicious JavaScript into the vulnerable parameter, leading to a reflected Cross-Site Scripting (XSS) attack on the targeted system.
Title		Cross-Site Scripting (XSS) Vulnerability in PPC XPON ONT Wi-Fi Router
Weaknesses		CWE-79
References		https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0215
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: CERT-In

Published: 2025-09-16T12:18:58.822Z

Updated: 2025-09-16T12:18:58.822Z

Reserved: 2025-09-16T10:30:43.804Z

Link: CVE-2025-10546

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-10546", "assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c", "state": "PUBLISHED", "assignerShortName": "CERT-In", "dateReserved": "2025-09-16T10:30:43.804Z", "datePublished": "2025-09-16T12:18:58.822Z", "dateUpdated": "2025-09-16T12:18:58.822Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PPC XPON ONT (Optical Network Terminal) 2K15X", "vendor": "PPC Technologies", "versions": [{"status": "affected", "version": "v2.3.15PPCL"}, {"status": "affected", "version": "v1.0.3"}]}], "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability is reported by Shravan Singh & Amey Chavekar"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This vulnerability exist in PPC 2K15X Router, due to improper input validation for the Common Gateway Interface (CGI) parameters at its web management portal. A remote attacker could exploit this vulnerability by injecting malicious JavaScript into the vulnerable parameter, leading to a reflected Cross-Site Scripting (XSS) attack on the targeted system.<br>"}], "value": "This vulnerability exist in PPC 2K15X Router, due to improper input validation for the Common Gateway Interface (CGI) parameters at its web management portal. A remote attacker could exploit this vulnerability by injecting malicious JavaScript into the vulnerable parameter, leading to a reflected Cross-Site Scripting (XSS) attack on the targeted system."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591: Reflected XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "66834db9-ab24-42b4-be80-296b2e40335c", "shortName": "CERT-In", "dateUpdated": "2025-09-16T12:18:58.822Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0215"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade PPC 2K15X Router to firmware version V2.3.24<br>"}], "value": "Upgrade PPC 2K15X Router to firmware version V2.3.24"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-Site Scripting (XSS) Vulnerability in PPC XPON ONT Wi-Fi Router", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "i. Disable remote management<br>ii. Restrict admin access to trusted LAN devices only<br>iii. Avoid accessing the management UI via untrusted links<br>"}], "value": "i. Disable remote management\nii. Restrict admin access to trusted LAN devices only\niii. Avoid accessing the management UI via untrusted links"}], "x_generator": {"engine": "Vulnogram 0.2.0"}}}}