CVE-2025-13649 is an XSS vulnerability classified under CWE-79 affecting Microcom's ZeusWeb version 6.1.31. The flaw arises from improper neutralization of user input during web page generation, specifically in the 'Email' parameter of the password recovery feature. An attacker can craft a malicious payload injected into this parameter, which is then reflected in the web page without adequate sanitization or encoding. This enables execution of arbitrary JavaScript in the context of the victim's browser when they access the vulnerable URL (https://zeus.microcom.es:4040/index.html?zeus6=true). The attack vector is network accessible (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but does require user interaction (UI:P). The vulnerability impacts confidentiality and integrity by potentially allowing session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability does not affect availability and does not require authentication to exploit, increasing its risk profile. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The CVSS 4.0 score of 5.1 reflects a medium severity level, indicating moderate risk. The vulnerability is particularly relevant for organizations relying on ZeusWeb for web-based services, especially those exposing the password recovery functionality to external users.

For European organizations, exploitation of this XSS vulnerability could lead to compromise of user accounts through session hijacking or theft of sensitive information such as credentials. This is especially critical for organizations handling sensitive or regulated data, including financial institutions, healthcare providers, and government agencies. Attackers could use the vulnerability to perform phishing or social engineering attacks by injecting malicious scripts that mimic legitimate pages or capture user input. The vulnerability could also be leveraged as a foothold for further attacks within the network if users with elevated privileges are targeted. Given the web-based nature of the vulnerability, any organization exposing ZeusWeb's password recovery page to the internet is at risk. The lack of authentication requirement lowers the barrier for attackers, increasing the likelihood of exploitation. Although no known exploits are reported, the public disclosure increases the risk of future exploitation attempts. The impact on confidentiality and integrity is moderate, but the potential for reputational damage and regulatory consequences in Europe is significant.

Organizations should immediately assess their use of Microcom ZeusWeb version 6.1.31 and restrict access to the password recovery page where feasible, such as by IP whitelisting or VPN access. Implement robust input validation and output encoding on the 'Email' parameter to neutralize malicious scripts before rendering. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor web application logs for suspicious activity related to the password recovery functionality. Educate users about the risks of phishing and encourage cautious interaction with password recovery emails or links. If possible, upgrade to a patched version of ZeusWeb once available or apply vendor-provided mitigations. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the affected endpoint. Regularly review and update security controls around web applications to reduce attack surface exposure.