CVE-2025-15200 is a cross-site scripting vulnerability identified in SohuTV CacheCloud versions 3.0 through 3.2.0. The vulnerability resides in the AppClientDataShowController.java file, specifically within the functions getExceptionStatisticsByClient, getCommandStatisticsByClient, and doIndex. These functions handle client-side statistics data but fail to properly sanitize or encode user-supplied input before reflecting it in web responses. As a result, an attacker can craft malicious input that, when processed by these functions, leads to the injection and execution of arbitrary JavaScript code in the context of the victim's browser. The attack vector is remote and does not require authentication, but user interaction is necessary, such as clicking a malicious link or visiting a compromised page. The CVSS 4.0 score of 4.8 reflects a medium severity, considering the ease of exploitation (low complexity), no privileges required, but requiring user interaction and limited impact on confidentiality and integrity. The vulnerability could enable attackers to steal session tokens, perform actions on behalf of users, or deliver further malware. Despite early notification, the vendor has not released a patch, and a public exploit is available, increasing the risk of exploitation. The vulnerability affects organizations using CacheCloud for caching or data management, particularly those exposing client statistics interfaces to users or administrators.

For European organizations, this vulnerability could lead to client-side attacks such as session hijacking, credential theft, or unauthorized actions performed within the context of a user's session. Organizations that expose CacheCloud's client statistics interfaces on public or semi-public networks are at higher risk. The impact on confidentiality and integrity is limited but non-negligible, as attackers can execute scripts in users' browsers, potentially leading to data leakage or account compromise. Availability impact is minimal. Given the lack of vendor response and public exploit availability, attackers may target vulnerable systems opportunistically. This risk is heightened in sectors with high reliance on caching infrastructure for performance, such as e-commerce, finance, and media. Additionally, organizations with less mature security controls or limited monitoring may be more vulnerable to exploitation and subsequent lateral movement or data exfiltration attempts.

1. Immediately restrict access to the vulnerable endpoints (getExceptionStatisticsByClient, getCommandStatisticsByClient, doIndex) by implementing network-level controls such as IP whitelisting or VPN-only access. 2. Implement strict input validation and output encoding on all user-supplied data processed by CacheCloud, especially in the affected controller functions, to prevent script injection. 3. Deploy web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting CacheCloud endpoints. 4. Monitor web server and application logs for unusual requests or patterns indicative of XSS exploitation attempts. 5. Educate users and administrators about the risk of clicking suspicious links related to CacheCloud interfaces. 6. If feasible, isolate CacheCloud management interfaces from public networks and restrict access to trusted personnel only. 7. Track vendor communications for any forthcoming patches and plan for timely updates once available. 8. Consider deploying Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources.