CVE-2025-10546
Description
This vulnerability exist in PPC 2K15X Router, due to improper input validation for the Common Gateway Interface (CGI) parameters at its web management portal. A remote attacker could exploit this vulnerability by injecting malicious JavaScript into the vulnerable parameter, leading to a reflected Cross-Site Scripting (XSS) attack on the targeted system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in PPC 2K15X router's CGI parameters allows reflected XSS, enabling arbitrary JavaScript execution and session cookie theft.
The PPC 2K15X router, a dual-band XPON ONT Wi-Fi device, contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper input validation of Common Gateway Interface (CGI) parameters at its web management portal [1]. This allows an attacker to inject malicious JavaScript into a vulnerable parameter.
An attacker can exploit this by crafting a malicious link containing the injected script and tricking a user (typically an administrator) into clicking it. No authentication is required to perform the injection, but user interaction is needed to trigger the XSS. The vulnerability is present in firmware versions v2.3.15PPCL and v1.0.3 [1].
Successful exploitation enables arbitrary JavaScript execution in the context of the admin's session, potentially leading to session cookie theft, credential harvesting, or further attacks on the device [1].
As of the advisory date (September 16, 2025), no patch has been announced. Users should monitor vendor channels for firmware updates and avoid clicking untrusted links while accessing the router's management interface [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.