CVE-2025-9225

Vulnerability & Root Cause

MiR software versions prior to 3.0.0 (affecting MiR Robots and MiR Fleet) are affected by a stored cross-site scripting (XSS) vulnerability. The web interface fails to properly sanitize user-supplied input before storing it, allowing an attacker to inject malicious JavaScript code that persists on the server. [2]

Exploitation & Prerequisites

An attacker with low-privileged access to the web interface can inject the malicious script. The vulnerability is triggered only when another logged-in user views the affected page, requiring user interaction (UI:R). The attack is network-based (AV:N) but requires prior authentication and the victim to click or navigate to the crafted content. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to information disclosure (e.g., session tokens, cookies) and limited integrity impact, such as modifying page content or performing actions on behalf of the victim within the application's context. The CVSS v3.1 vector reflects Low confidentiality and Low integrity impacts (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L). [2]

Mitigation & Recommendations

The vendor, Mobile Industrial Robots (MiR), advises updating to software version 3.0.0 or later. If an immediate update is not possible, compensating controls include operating the system in a segmented and secured network with strict firewall rules and securing user accounts as recommended in the MiR Cybersecurity Guide. [2]