CVE-2025-14186 identifies a basic cross-site scripting vulnerability in the Grandstream GXP1625 IP phone firmware version 1.0.7.4. The vulnerability resides in an unspecified function within the /cgi-bin/api.values.post CGI endpoint, specifically related to the vpn_ip parameter on the Network Status Page. By manipulating this parameter, an attacker can inject malicious JavaScript code that executes in the context of the victim’s browser when they access the affected page. The vulnerability is remotely exploitable without requiring authentication, although user interaction is necessary to trigger the malicious script. This XSS flaw can be leveraged to steal session cookies, perform phishing attacks, or execute arbitrary actions on behalf of the user within the device’s web interface. The vendor was informed early but has not responded or released a patch, and a public exploit is available, increasing the risk of exploitation. The CVSS 4.0 score of 5.1 reflects a medium severity, considering the ease of remote exploitation but the need for user interaction and limited impact on availability. The vulnerability affects only firmware version 1.0.7.4 of the GXP1625 model. No mitigations or patches have been officially published, leaving organizations reliant on network-level controls and monitoring to reduce risk.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity. Exploitation could allow attackers to execute malicious scripts within the context of the device’s web interface, potentially leading to credential theft, session hijacking, or unauthorized configuration changes. Given that the GXP1625 is a VoIP device, compromise could disrupt communications or facilitate further lateral movement within corporate networks. The lack of vendor response and patch increases exposure, especially in environments where these devices are accessible from less trusted networks or the internet. Sectors with critical communications infrastructure, such as finance, government, and telecommunications, may experience operational disruptions or data breaches if exploited. However, the requirement for user interaction and the medium CVSS score suggest the threat is serious but not critical. Organizations relying heavily on Grandstream devices without compensating controls are at higher risk.

Since no official patch or vendor guidance is available, European organizations should implement specific mitigations: 1) Restrict access to the management interface of GXP1625 devices using network segmentation and firewall rules, limiting exposure to trusted internal networks only. 2) Disable or restrict web interface access where possible, or enforce strong authentication and session management controls. 3) Monitor network traffic and device logs for unusual requests targeting /cgi-bin/api.values.post or suspicious vpn_ip parameter values. 4) Educate users about the risks of clicking on untrusted links or interacting with unexpected device web pages to reduce the chance of triggering XSS payloads. 5) Consider replacing or upgrading affected devices to models with patched firmware once available. 6) Employ web application firewalls (WAF) or intrusion prevention systems (IPS) capable of detecting and blocking XSS attack patterns targeting these devices. 7) Maintain an inventory of all Grandstream devices to ensure timely identification and response.