Description
The SMS module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to stored XSS. The application does not properly sanitize user input in SMS messages before storing and displaying them. An attacker can send an SMS containing a malicious XSS payload, which will be executed in the context of the victim's browser when the message is viewed.
Published: 2026-06-04
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Neterbit NW-431F Router firmware preceding 20241014-IR03 stores SMS content without sanitizing it, allowing an attacker to embed a malicious JavaScript payload. When a user opens the message in their browser, the payload executes in the context of the device’s web interface, potentially granting arbitrary code execution or sensitive data exfiltration. This stored cross‑site scripting flaw can compromise confidentiality, integrity and availability of the device if exploited.

Affected Systems

Firmware versions up to and including 20241014-IR03 of the Neterbit NW-431F router are affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high overall severity. The EPSS score is not available, so the precise exploitation likelihood is unknown, but the flaw remains publicly documented and not listed in CISA’s KEV catalog. An attacker would need to deliver an SMS containing the payload to the target device and convince the victim to view the message in a browser; this relatively low barrier of exploitation coupled with the high impact increases the threat level. The vulnerability is easily exploitable if one can communicate with the router’s SMS module, exposing users to credential theft, session hijacking, or further network compromise.

Generated by OpenCVE AI on June 4, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version newer than 20241014-IR03 that includes input sanitization for SMS messages
  • If an update is not immediately available, disable the SMS forwarding feature or block incoming SMS traffic to the router
  • Implement stringent input validation on the web interface to strip or encode script tags before storing and rendering SMS content

Generated by OpenCVE AI on June 4, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting Vulnerability in Neterbit NW‑431F Router SMS Module

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description The SMS module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to stored XSS. The application does not properly sanitize user input in SMS messages before storing and displaying them. An attacker can send an SMS containing a malicious XSS payload, which will be executed in the context of the victim's browser when the message is viewed.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AC:L/AV:N/A:N/C:H/I:L/PR:N/S:U/UI:R'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-04T18:01:42.200Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67448

cve-icon Vulnrichment

Updated: 2026-06-04T18:00:02.895Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T18:16:27.853

Modified: 2026-06-04T19:16:26.867

Link: CVE-2025-67448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T18:30:16Z

Weaknesses