CVE-2025-13650 identifies a Cross-site Scripting (XSS) vulnerability classified under CWE-79 in Microcom's ZeusWeb product, specifically version 6.1.31. The vulnerability arises from improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary JavaScript code into the 'Surname' parameter of the 'Create Account' operation. This operation is accessible at the URL https://zeus.microcom.es:4040/index.html?zeus6=true and does not require user registration, lowering the barrier to attack. The vulnerability enables an attacker to craft malicious payloads that, when executed by a victim's browser, can hijack user sessions, steal cookies, or perform actions on behalf of the user. The CVSS 4.0 vector indicates the attack is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but does require user interaction (UI:P). The impact on confidentiality and integrity is low to moderate, with no direct availability impact. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be treated proactively. The vulnerability's exploitation depends on victim interaction, such as clicking a crafted link or submitting a form containing the malicious payload. ZeusWeb is a web application platform used by various organizations, and this vulnerability could be leveraged to target users of affected deployments.

For European organizations, the impact of CVE-2025-13650 can be significant in environments where ZeusWeb 6.1.31 is deployed, especially in sectors handling sensitive user data or critical web services. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions performed under the victim's identity, undermining user trust and potentially leading to data breaches. The vulnerability's requirement for user interaction limits mass exploitation but targeted phishing or social engineering campaigns could be effective. Given the web-based nature of the vulnerability, organizations with public-facing ZeusWeb instances are at higher risk. The medium CVSS score reflects moderate risk, but the actual impact depends on the deployment context and the sensitivity of the data processed. European regulatory frameworks such as GDPR impose strict requirements on data protection, and exploitation leading to data leakage could result in regulatory penalties and reputational damage. Additionally, sectors like finance, healthcare, and government are particularly sensitive to XSS attacks due to the potential for privilege escalation and data manipulation.

To mitigate CVE-2025-13650, organizations should implement multiple layers of defense: 1) Apply strict input validation on the 'Surname' parameter and all user inputs to reject or sanitize potentially malicious characters and scripts. 2) Employ context-aware output encoding/escaping to neutralize any injected scripts before rendering in the browser. 3) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS payloads. 4) Restrict access to the 'Create Account' operation endpoint via network controls or authentication mechanisms if possible, to reduce exposure. 5) Educate users about phishing and social engineering risks to minimize successful triggering of malicious payloads. 6) Monitor web application logs for suspicious input patterns indicative of attempted exploitation. 7) Engage with Microcom for patches or updates and apply them promptly once available. 8) Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payload signatures specific to this vulnerability. These measures combined will reduce the likelihood and impact of exploitation beyond generic advice.