CVE-2025-13589 is a reflected Cross-site Scripting (XSS) vulnerability identified in the FMS (Facility Management System) developed by Otsuka Information Technology. The root cause is improper neutralization of user-supplied input during web page generation, classified under CWE-79. This flaw allows unauthenticated remote attackers to craft malicious URLs that, when clicked by a user, execute arbitrary JavaScript code within the victim's browser context. The attack vector is network-based with low attack complexity and does not require privileges or authentication, but it does require user interaction (clicking a malicious link). The vulnerability impacts confidentiality and integrity by enabling theft of session cookies, credentials, or execution of unauthorized actions on behalf of the user. The CVSS 4.0 score of 5.1 reflects a medium severity level, considering the ease of exploitation and potential impact. No patches or known exploits have been reported as of the publication date (November 24, 2025). The absence of patches means organizations must rely on compensating controls until a fix is available. The vulnerability is particularly dangerous in phishing scenarios where attackers trick users into clicking malicious links. Given the nature of reflected XSS, the attack is transient and requires active user engagement, but it can be leveraged for persistent attacks if combined with social engineering or other vulnerabilities. The FMS product's usage in enterprise environments makes this vulnerability relevant for organizations relying on it for facility or resource management.

For European organizations, this vulnerability poses a risk primarily through phishing campaigns targeting employees or partners using the Otsuka Information Technology FMS product. Successful exploitation can lead to session hijacking, unauthorized actions performed in the victim's context, data theft, and potential lateral movement within the network if credentials are compromised. The impact on confidentiality and integrity is significant, though availability is less affected. Organizations in sectors with high-value targets or sensitive data managed via FMS are at increased risk. The medium severity score suggests that while the vulnerability is not critical, it can be leveraged as part of a broader attack chain. The lack of authentication requirement lowers barriers for attackers, increasing the threat surface. European entities with remote or hybrid workforces may be more vulnerable due to increased phishing susceptibility. Additionally, regulatory compliance concerns (e.g., GDPR) arise if personal data is exposed or compromised through this vulnerability.

1. Implement strict input validation and output encoding on all user-supplied data within the FMS application to neutralize malicious scripts. 2. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3. Educate users on recognizing phishing attempts and the risks of clicking unknown links, especially those related to FMS interfaces. 4. Monitor web server logs and network traffic for unusual or suspicious URL patterns indicative of XSS exploitation attempts. 5. Employ web application firewalls (WAFs) with rules tailored to detect and block reflected XSS payloads targeting the FMS product. 6. Isolate the FMS environment and restrict access to trusted networks or VPNs to reduce exposure. 7. Coordinate with Otsuka Information Technology for timely patch releases and apply updates promptly once available. 8. Conduct regular security assessments and penetration testing focusing on web application vulnerabilities within the FMS deployment. 9. Implement multi-factor authentication (MFA) to reduce the impact of credential theft resulting from XSS attacks. 10. Use browser security features such as SameSite cookies to limit cookie exposure during cross-site requests.