CVE-2025-22574 identifies a Stored Cross-site Scripting (XSS) vulnerability in the Cleanshooter ICS Button product, affecting versions up to and including 0.6. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be injected and persistently stored on the server. When other users access the affected web pages, the malicious scripts execute in their browsers within the security context of the ICS Button application. This can lead to a range of attacks including session hijacking, credential theft, unauthorized actions on behalf of users, and delivery of malware. Stored XSS is particularly dangerous because the payload is saved on the server and served to multiple users, increasing the attack surface. The vulnerability does not require authentication or user interaction beyond visiting the compromised page, making exploitation straightforward. Although no public exploits have been reported yet, the flaw is publicly disclosed and thus may attract attackers. The lack of a CVSS score indicates the need for a manual severity assessment, which considers the broad impact on confidentiality, integrity, and availability of affected systems. ICS Button is typically used in industrial control system environments, which are critical infrastructure components, thereby increasing the potential impact of successful exploitation.

The impact of this Stored XSS vulnerability on organizations worldwide can be significant, especially for those deploying Cleanshooter ICS Button in industrial control system (ICS) environments. Successful exploitation can lead to unauthorized access to user sessions, theft of sensitive information such as credentials or operational data, and potential manipulation of ICS interfaces. This could disrupt industrial processes, cause operational downtime, or enable further attacks such as malware deployment or lateral movement within networks. Given the critical nature of ICS environments, even limited compromise can have cascading effects on safety, reliability, and compliance. Additionally, the persistent nature of Stored XSS means multiple users can be affected, amplifying the risk. Organizations lacking timely patches or mitigations may face reputational damage, regulatory penalties, and increased remediation costs. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as public disclosure often precedes active exploitation attempts.

To mitigate CVE-2025-22574, organizations should first verify the use of Cleanshooter ICS Button versions up to 0.6 and plan immediate upgrades to patched versions once available. In the absence of official patches, implement strict input validation and output encoding on all user-supplied data to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly audit and sanitize stored data to remove any malicious payloads. Limit user privileges and access controls to reduce the impact of potential exploitation. Monitor web application logs for unusual input patterns or suspicious activity indicative of XSS attempts. Additionally, educate users about the risks of XSS and encourage cautious behavior when interacting with ICS web interfaces. For ICS environments, segment networks to isolate critical control systems from general IT infrastructure, reducing exposure. Finally, maintain an incident response plan tailored to web application attacks to enable rapid containment and recovery.