CVE-2025-13648 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79 affecting Microcom's ZeusWeb product, specifically version 6.1.31. The vulnerability arises from improper neutralization of input during web page generation, allowing an attacker with authenticated access to inject arbitrary JavaScript code into the 'Name' and 'Surname' parameters within the 'My Account' section of the web application. The injection point is located at the URL https://zeus.microcom.es:4040/administracion-estaciones.html. Because the malicious script is stored persistently, it can execute whenever a victim views the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the user. Exploitation requires the attacker to have at least low privileges (authenticated user) and involves user interaction to trigger the payload. The vulnerability has a CVSS 4.0 score of 4.8, indicating medium severity, with network attack vector, low attack complexity, no privileges required for exploitation beyond authentication, and user interaction needed. No public exploits have been reported yet. The root cause is insufficient input validation and output encoding in the web application, allowing script injection. This vulnerability could be leveraged in targeted attacks against organizations using ZeusWeb, especially those exposing the administrative interface externally or with weak access controls. The absence of vendor patches at the time of reporting necessitates immediate mitigation through configuration and monitoring.

For European organizations, this vulnerability poses a risk primarily to confidentiality and integrity. Attackers exploiting the stored XSS can hijack user sessions, steal sensitive information such as authentication tokens or personal data, and potentially escalate privileges within the application. This could lead to unauthorized access to administrative functions or sensitive operational data managed through ZeusWeb. The availability impact is limited but could occur if attackers use XSS to inject disruptive scripts. Organizations in sectors relying on ZeusWeb for critical infrastructure management or operational technology could face operational disruptions or data breaches. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with weak authentication or insider threats. The medium severity rating suggests moderate urgency but should not be underestimated given the potential for lateral movement or combined attacks. European entities with exposed or poorly segmented ZeusWeb interfaces are particularly vulnerable.

1. Immediately restrict access to the ZeusWeb administrative interface to trusted networks and enforce strong authentication mechanisms, including multi-factor authentication (MFA). 2. Implement strict input validation and output encoding on all user-supplied data fields, especially the 'Name' and 'Surname' parameters, to neutralize malicious scripts. 3. Monitor web application logs for unusual input patterns or repeated injection attempts targeting the affected parameters. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the application context. 5. Conduct regular security assessments and penetration tests focusing on web application vulnerabilities, including XSS. 6. Engage with Microcom for official patches or updates addressing this vulnerability and apply them promptly once available. 7. Educate users and administrators about the risks of XSS and safe handling of web application inputs. 8. Consider deploying Web Application Firewalls (WAF) with rules tailored to detect and block XSS payloads targeting ZeusWeb. 9. Segment the network to isolate ZeusWeb servers from general user access and reduce the risk of lateral movement. 10. Review and tighten user privilege assignments to minimize the number of users with access to vulnerable input fields.