CVE-2025-13648 is a stored cross-site scripting (XSS) vulnerability identified in Microcom's ZeusWeb version 6.1.31. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically within the 'Name' and 'Surname' parameters in the 'My Account' section of the web application accessible at https://zeus.microcom.es:4040/administracion-estaciones.html. An attacker who is authenticated and has access to the application can inject arbitrary JavaScript code into these fields. Because the injected script is stored persistently, it will be executed in the browsers of other users who view the affected pages, potentially compromising their sessions or stealing sensitive information. The vulnerability requires the attacker to have low privileges (authenticated user) and user interaction (victim must view the malicious content). The CVSS 4.8 score reflects network attack vector, low attack complexity, no privileges required beyond authentication, and low impact on confidentiality and integrity but limited availability impact. No public exploits are known at this time. The vulnerability affects only version 6.1.31 of ZeusWeb, a product by Microcom, which is a web-based management system likely used in industrial or infrastructure contexts. The issue stems from insufficient input validation and output encoding of user-supplied data, allowing script injection. This vulnerability could be leveraged for session hijacking, phishing, or unauthorized actions within the application context.

For European organizations using Microcom ZeusWeb 6.1.31, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized script execution in users' browsers, enabling session hijacking, credential theft, or manipulation of user actions within the application. This could compromise the integrity and confidentiality of sensitive data managed by ZeusWeb, especially if used in critical infrastructure or industrial environments. The requirement for authentication limits exposure but insider threats or compromised accounts could be leveraged to exploit this vulnerability. The persistent nature of the XSS increases the risk of widespread impact within an organization. Additionally, exploitation could facilitate further attacks such as lateral movement or privilege escalation. The lack of known exploits reduces immediate risk but does not eliminate the threat. Organizations in sectors like energy, manufacturing, or utilities using ZeusWeb should be particularly vigilant due to the potential operational impact.

1. Apply strict input validation on the 'Name' and 'Surname' fields to reject or sanitize any input containing script or HTML elements. 2. Implement proper output encoding/escaping on all user-supplied data before rendering it in web pages to prevent script execution. 3. Restrict user privileges to the minimum necessary to reduce the risk of malicious input from authenticated users. 4. Monitor application logs and user activity for unusual behavior indicative of XSS exploitation attempts. 5. If possible, upgrade to a patched version of ZeusWeb once available or contact Microcom for vendor-provided fixes. 6. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser. 7. Educate users about the risks of clicking on suspicious links or interacting with untrusted content within the application. 8. Conduct regular security assessments and penetration testing focusing on input validation and XSS vulnerabilities in ZeusWeb deployments.