CVE-2025-52357

Vulnerability

Description

CVE-2025-52357 is a reflected cross-site scripting (XSS) vulnerability in the ping diagnostic feature of the FiberHome (Shenzhen C-Data Technology Co., Ltd.) FD602GW-DX-R410 fiber router running firmware version V2.2.14. The vulnerability resides in the admin web console's ping input field, which fails to properly sanitize user-supplied input containing special characters. This allows an authenticated attacker to inject arbitrary JavaScript code that executes in the context of the router's web interface [1]. The web server is identified as Boa/0.93.15 [2].

Exploitation

Prerequisites

Exploitation requires the attacker to be an authenticated user of the router's admin console with low privileges. The attack vector is remote over the network and has low attack complexity. The user interaction is only required if the attack is combined with cross-site request forgery (CSRF). The vulnerability is triggered by submitting a crafted payload into the ping field, such as a string containing script tags, which is then reflected back to the browser without proper encoding or filtering [1][2].

Impact

Upon successful exploitation, the attacker can execute arbitrary JavaScript with the web interface's privileges, which correspond to admin-level access. This can lead to session hijacking, credential theft, privilege escalation, and unauthorized configuration changes of the router [1][2]. The CVSS v3.1 base score is 5.4 (Medium) with changed scope, indicating potential compromise of resources beyond the vulnerable component [1][2].

Mitigation

Status

As of the advisory publication date of July 10, 2025, the vendor has not released a firmware update addressing the issue. Mitigation recommendations include implementing strict server-side input validation and context-aware output encoding to prevent JavaScript injection. Users are advised to restrict administrative access to trusted networks and monitor for suspicious activity until a patch is available [1][2].