CVE-2025-27567

Vulnerability

Details

CVE-2025-27567 is a stored cross-site scripting (XSS) vulnerability in the NickName registration screen of the KDDI HGW-BL1500HM home gateway, affecting firmware versions 002.002.003 and earlier [1]. The root cause is insufficient input sanitization, allowing an attacker to inject arbitrary script code that is stored and later executed in the context of the web interface [1].

Exploitation

An attacker must have low-privileged access to the device's LAN-side configuration interface and trick an authenticated user (e.g., an administrator) into viewing the affected page [1]. The CVSS v3 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects the need for user interaction and the limited scope of impact [1].

Impact

Successful exploitation enables arbitrary script execution in the victim's browser when they access the configuration page or other LAN-only functions [1]. This could lead to session hijacking, UI redressing, or further compromise of the gateway's administrative functions.

Mitigation

KDDI has released firmware version 002.004.010, which addresses this vulnerability [2]. Users are advised to keep the device connected to the internet to receive automatic updates [2].