CVE-2025-22572 identifies a stored cross-site scripting (XSS) vulnerability in the Brian Legacy ePlayer sportspress-tv software, affecting all versions up to and including 0.9.9. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently on the server and executed in the browsers of users who view the affected pages. This type of vulnerability can be exploited by attackers to perform a range of malicious activities such as stealing session cookies, redirecting users to malicious sites, or executing unauthorized actions on behalf of authenticated users. The vulnerability does not require authentication or complex user interaction, increasing its exploitability. Although no public exploits have been reported yet, the presence of stored XSS in a widely used media player component for sports content distribution represents a significant security risk. The lack of an available patch at the time of disclosure necessitates immediate attention from organizations using this software. The vulnerability affects the confidentiality and integrity of user data and can lead to broader compromise of affected systems if leveraged in multi-stage attacks.

The impact of CVE-2025-22572 is substantial for organizations deploying Brian Legacy ePlayer in their sports media or content delivery infrastructure. Successful exploitation can lead to theft of user credentials, session hijacking, and unauthorized actions performed with the privileges of legitimate users. This can result in data breaches, defacement of web content, and loss of user trust. For organizations relying on this software for live or archived sports content, the vulnerability could disrupt service integrity and availability indirectly through subsequent attacks. Additionally, attackers could use the vulnerability as a foothold for further network penetration or to distribute malware to end users. The absence of known exploits currently provides a window for mitigation, but the ease of exploitation and the persistent nature of stored XSS make this a critical risk if left unaddressed.

To mitigate CVE-2025-22572, organizations should immediately audit their use of Brian Legacy ePlayer and restrict access to affected versions (<= 0.9.9). Although no official patch is currently available, administrators should implement strict input validation and output encoding on all user-supplied data rendered in web pages to neutralize malicious scripts. Employing Content Security Policy (CSP) headers can help limit the execution of unauthorized scripts. Regularly scanning web applications for XSS vulnerabilities using automated tools and manual testing is recommended. Additionally, monitoring logs for suspicious input patterns and anomalous user behavior can help detect exploitation attempts early. Organizations should also prepare to update or replace the Legacy ePlayer component once a vendor patch is released. Educating users about the risks of clicking unknown links and maintaining robust web application firewalls (WAFs) configured to detect and block XSS payloads will further reduce risk.