CVE-2025-41362

Vulnerability

Overview

CVE-2025-41362 is a code injection vulnerability (CWE-94) affecting ZIV's IDF and ZLF protection devices running firmware versions v0.10.0-0C03-03 and v0.10.0-0C03-04. The flaw allows an attacker to store a malicious payload within the device's software, which later executes in the browser of any user who accesses the affected interface. This is a stored code injection issue, distinct from reflected cross-site scripting, as the payload persists on the device [1].

Exploitation

Conditions

Exploiting this vulnerability requires prior authentication to the device and the ability to execute commands with at least view permission. The attack vector is network-based, with low attack complexity and no user interaction required (CVSS v4.0 vector: AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N). An authenticated attacker can inject arbitrary code through legitimate command execution, which is then stored and served to other users [1].

Impact

Successful exploitation enables an attacker to execute arbitrary code in the context of a victim's browser session. This can lead to data exfiltration, session hijacking, or further compromise of the device's web interface. The CVSS v4.0 base score is 5.3 (Medium), reflecting the requirement for authentication but the potential for significant confidentiality and integrity impact on the system's scope [1].

Mitigation

ZIV has addressed this vulnerability in firmware version 1.1.0 (and later). Users are strongly advised to update their IDF and ZLF devices to the latest available firmware to eliminate the risk. No workarounds are documented; the only remediation is applying the vendor-supplied patch [1].