CVE-2025-25612

Vulnerability

Overview

CVE-2025-25612 is a stored cross-site scripting (XSS) vulnerability affecting FS Inc S3150-8T2F switches prior to firmware version S3150-8T2F_2.2.0D_135103. The flaw resides in the Time Range Configuration functionality of the administration interface. The "Time Range Name" input field does not properly sanitize user-supplied data, allowing an attacker to inject malicious JavaScript code that is stored on the device [2].

Exploitation

An attacker with network access to the switch's management interface can exploit this vulnerability by submitting a crafted payload in the Time Range Name field. No authentication is required to trigger the stored payload; once saved, the malicious script executes in the browser of any user—including administrators—who views the affected configuration page. This makes the attack particularly dangerous as it can target privileged users without additional interaction [2].

Impact

Successful exploitation enables arbitrary script execution in the context of the victim's browser session. An attacker could steal session cookies, capture keystrokes, perform actions on behalf of the administrator, or deface the management interface. Because the script runs in the admin's browser, it can bypass network-level controls and potentially lead to full compromise of the switch's administrative functions [2].

Mitigation

FS Inc has addressed this vulnerability in firmware version S3150-8T2F_2.2.0D_135103. Users are strongly advised to upgrade to this or a later release. No workarounds are documented; restricting access to the management interface to trusted networks can reduce exposure but does not eliminate the risk [2].