CVE-2025-27574

Vulnerability

Overview

CVE-2025-27574 is a stored cross-site scripting (XSS) vulnerability found in the USB storage file-sharing function of the KDDI HGW-BL1500HM home gateway running firmware version 002.002.003 and earlier [1]. The root cause is improper sanitization of user-supplied input, which permits the storage of malicious script code within the device's USB share feature. When an administrator or LAN-side user accesses the corresponding configuration page, the injected script is rendered, leading to XSS execution [1][2].

Exploitation

An attacker must first be connected to the local area network (LAN) side of the gateway and have valid credentials with privileges to access the USB file-sharing settings [1]. The attack is not exploitable from the WAN side by default; the CVSS v3.0 score of 3.6 reflects the low severity due to the required physical or adjacent network access (AV:P) and user interaction (UI:R) [1]. The attacker crafts a payload, such as a malicious filename or metadata, which is then stored on the USB storage and later displayed in the web interface.

Impact

If successfully exploited, the vulnerability allows an attacker to execute arbitrary JavaScript or HTML within the security context of the affected configuration web page [1]. This could lead to session hijacking, theft of configuration data, or unauthorized modification of gateway settings. Because the attack is limited to the same origin and requires prior LAN access, the overall impact is rated low (C:L/I:L/A:N) [1].

Mitigation

KDDI has released a firmware update version 002.004.010 that addresses this and related vulnerabilities [2]. Updating to this version or later is the recommended remediation. No workaround is provided beyond restricting LAN access to trusted users and applying the firmware patch [2].