CVE-2025-13649 is a reflected Cross-site Scripting (XSS) vulnerability classified under CWE-79, found in Microcom's ZeusWeb product version 6.1.31. The vulnerability arises from improper neutralization of user-supplied input during web page generation, specifically in the 'Recover password' functionality. An attacker can inject arbitrary JavaScript code into the 'Email' parameter of the recovery URL (https://zeus.microcom.es:4040/index.html?zeus6=true) without needing to register or authenticate. When a victim interacts with the crafted URL or submits the vulnerable form, the malicious script executes in the victim's browser context. This can lead to theft of session cookies, redirection to malicious sites, or execution of unauthorized actions on behalf of the user. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, but user interaction is necessary. The vulnerability impacts confidentiality and integrity of user sessions but does not affect availability. No official patches are currently available, and no known exploits have been reported in the wild. The issue underscores the need for proper input validation and output encoding in web applications to prevent injection of executable code.

For European organizations, exploitation of this vulnerability could result in unauthorized access to user accounts, leading to potential data breaches, credential theft, and unauthorized actions within the affected web application. Since the vulnerability is in a password recovery feature, attackers could leverage it to hijack password reset processes or steal session tokens, compromising user identity and access management. This could be particularly damaging for organizations handling sensitive personal data or critical infrastructure. The reflected XSS nature means attacks require user interaction, often via phishing or social engineering, increasing the risk to end users. Additionally, compromised accounts could be used as a foothold for further lateral movement or data exfiltration. The lack of authentication requirement lowers the barrier for attackers, making it easier to target a broad range of users. The medium severity rating suggests moderate impact, but the potential for targeted attacks against high-value European entities warrants prompt attention.

1. Implement strict input validation on the 'Email' parameter in the password recovery form to reject or sanitize malicious scripts. 2. Apply proper output encoding (e.g., HTML entity encoding) before rendering user-supplied input on web pages to prevent script execution. 3. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 4. Limit access to the password recovery page by implementing rate limiting and CAPTCHA to reduce automated abuse. 5. Monitor web application logs for suspicious input patterns indicative of XSS attempts. 6. Educate users about phishing risks and encourage cautious interaction with password recovery links. 7. Coordinate with Microcom for official patches or updates addressing this vulnerability and apply them promptly once available. 8. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the vulnerable endpoint. 9. Conduct regular security assessments and penetration testing focusing on input validation and session management controls.