CVE-2025-13650 is a Cross-site Scripting (XSS) vulnerability classified under CWE-79 affecting Microcom's ZeusWeb product, specifically version 6.1.31. The vulnerability arises from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary JavaScript code into the 'Surname' parameter of the 'Create Account' operation at the URL https://zeus.microcom.es:4040/index.html?zeus6=true. Notably, the attack vector does not require user registration or authentication, lowering the barrier for exploitation. However, user interaction is necessary to trigger the malicious payload, as the injected script executes in the context of a victim's browser when they load the affected page or interact with the vulnerable parameter. The CVSS 4.0 base score is 5.1, indicating a medium severity level, with network attack vector, low attack complexity, no privileges required, and user interaction needed. The vulnerability impacts confidentiality and integrity by enabling attackers to steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites. No patches or known exploits are currently available, but the issue is publicly disclosed and should be addressed promptly. The vulnerability is particularly concerning for organizations relying on ZeusWeb for critical web applications, as successful exploitation can undermine user trust and lead to further compromise.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data within the ZeusWeb application. Attackers could leverage the XSS flaw to hijack user sessions, steal credentials, or perform unauthorized actions, potentially leading to data breaches or unauthorized access to sensitive systems. Given that the vulnerability requires no authentication and is accessible via the public web interface, it could be exploited by remote attackers targeting employees or customers. This risk is heightened in sectors where ZeusWeb is used for critical services, such as government portals, healthcare, or financial institutions. Additionally, the presence of this vulnerability could facilitate phishing attacks or malware distribution through injected scripts. While availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. Organizations must consider the threat in the context of their exposure and the sensitivity of data handled by ZeusWeb.

To mitigate CVE-2025-13650, organizations should first verify if they are running the affected version 6.1.31 of Microcom ZeusWeb and prioritize upgrading to a patched version once available. In the absence of an official patch, implement strict input validation on the 'Surname' parameter to reject or sanitize suspicious characters and scripts. Employ robust output encoding techniques to ensure that user-supplied data is safely rendered in the browser, preventing script execution. Deploy a Content Security Policy (CSP) that restricts the execution of inline scripts and limits sources of executable code to trusted domains. Additionally, consider implementing Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the vulnerable parameter. Educate users about the risks of clicking on suspicious links and monitor logs for unusual activity related to the 'Create Account' operation. Regular security assessments and penetration testing focused on web input handling can help identify residual or similar vulnerabilities. Finally, coordinate with Microcom for timely updates and advisories.