CVE-2025-14701 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the Server MOTD component of the Crafty Controller product by Arcadia Technology, LLC. The vulnerability arises due to improper neutralization of input during web page generation, specifically when the server's Message of the Day content is modified. An attacker can remotely and without authentication inject malicious JavaScript code into the MOTD, which is then stored and executed in the browsers of users who view the MOTD page. This stored XSS can lead to the theft of sensitive information such as session cookies, enabling session hijacking or other client-side attacks. The CVSS v3.1 base score is 7.1, reflecting a high severity with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact is primarily on confidentiality (C:H), with limited integrity (I:L) and no availability (A:N) impact. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The affected version is listed as '0', which likely indicates initial or early versions of the product. The vulnerability's exploitation scope is limited to users who access the MOTD page, but the unauthenticated remote attack vector increases risk. The lack of input sanitization or output encoding in the MOTD component is the root cause, making it vulnerable to script injection.

For European organizations, this vulnerability poses a significant risk to confidentiality, as attackers can steal session tokens or perform actions on behalf of users by exploiting the stored XSS. Organizations using Crafty Controller in environments where the MOTD is accessible to multiple users or administrators are particularly vulnerable. The attack could lead to unauthorized access to sensitive systems, data leakage, or further compromise of internal networks. While the integrity and availability impacts are limited, the confidentiality breach alone can have severe consequences, including regulatory non-compliance under GDPR if personal data is exposed. The unauthenticated nature of the attack increases the threat surface, allowing external attackers to attempt exploitation without prior access. This is especially critical for sectors such as finance, healthcare, and critical infrastructure in Europe that rely on Crafty Controller for automation or control systems. The absence of patches means organizations must rely on mitigations until a fix is released. The potential for lateral movement or escalation following successful exploitation increases the overall risk profile.

1. Immediately restrict access to the Server MOTD modification interface to trusted administrators only, using network segmentation and access control lists. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the MOTD component, focusing on script tags and event handlers. 3. Apply strict input validation and output encoding on the MOTD content to neutralize any injected scripts; if source code access is available, sanitize inputs using secure libraries or frameworks. 4. Disable or remove the MOTD feature temporarily if it is not essential to operations until a vendor patch is available. 5. Monitor logs and user activity for unusual changes to the MOTD or unexpected script execution behaviors. 6. Educate users to be cautious when interacting with the MOTD page and report any suspicious behavior. 7. Engage with Arcadia Technology for updates on patches or security advisories and plan for timely deployment once available. 8. Conduct internal penetration testing focusing on the MOTD and related web components to identify any other injection points. 9. Use Content Security Policy (CSP) headers to restrict script execution sources in browsers accessing the Crafty Controller interface. 10. Maintain up-to-date backups and incident response plans to quickly recover from any exploitation attempts.