CVE-2025-26202

Vulnerability

Overview

CVE-2025-26202 is a stored Cross-Site Scripting (XSS) vulnerability in the DZS ZNID-GPON-2428B1-0ST router's web interface. The flaw resides in the WPA/WAPI Passphrase field within the Wireless Security settings for both 2.4GHz and 5GHz bands. The application fails to sanitize user input in this field, allowing an authenticated attacker to inject arbitrary JavaScript code that is stored on the device [1].

Exploitation

To exploit the vulnerability, an attacker must first authenticate to the router's web interface. They then navigate to the Wireless Security page and inject a malicious payload (e.g., ``) into the WPA/WAPI Passphrase field. After saving the configuration, the payload is stored. The XSS is triggered when an administrator visits the Status page, selects the appropriate wireless band, and clicks the "Click here to display" link next to the Password field. The stored script executes in the context of the admin's browser session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the administrator's browser. This can lead to session hijacking, enabling the attacker to steal session cookies and perform administrative actions on the router, such as modifying settings or exfiltrating sensitive information. The CVSS v3 base score of 4.3 reflects the requirement for authentication and user interaction [1].

Mitigation

As of the publication date, the vendor has not released a firmware update to address this vulnerability. Users are advised to restrict administrative access to trusted networks and monitor for any suspicious changes to wireless security settings. The affected firmware version is S4.2.022 [1].