CVE-2025-35996 is a critical cross-site scripting (XSS) vulnerability identified in KUNBUS GmbH's Revolution Pi PiCtory software, specifically affecting version 2.11.1 and earlier. The vulnerability arises from improper handling of filenames submitted via API endpoints by authenticated remote users. An attacker with valid credentials can craft a malicious filename containing executable HTML script tags. This filename is stored by the system and later transmitted back to clients when displaying a list of configuration files. Due to the lack of proper escaping or sanitization of these filenames, the embedded script code executes in the context of the client’s browser, enabling a stored XSS attack. The vulnerability is classified under CWE-97 (Improper Neutralization of Script-Related HTML Tags in a Web Page), which highlights failures in sanitizing input that can lead to script injection. The CVSS v3.1 base score is 9.0, reflecting a critical severity with network attack vector, low attack complexity, required privileges (authenticated user), user interaction needed, and a scope change that affects confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to its potential to execute arbitrary scripts in clients’ browsers, which can lead to session hijacking, credential theft, or further exploitation within the network. The affected product, Revolution Pi PiCtory, is used in industrial automation environments, particularly in industrial control systems (ICS) and Internet of Things (IoT) deployments, where secure configuration management is critical. The vulnerability’s exploitation could undermine trust in configuration data, enable lateral movement, or disrupt industrial processes by compromising user sessions or injecting malicious commands via the web interface.

For European organizations, especially those operating in industrial automation, manufacturing, and critical infrastructure sectors, this vulnerability presents a high risk. Exploitation could allow attackers to execute malicious scripts in the browsers of authorized users, potentially leading to theft of authentication tokens, unauthorized command execution, or manipulation of configuration files. This can result in operational disruptions, data breaches, and loss of control over industrial processes. Given the critical nature of industrial control systems in sectors such as energy, transportation, and manufacturing across Europe, successful exploitation could have cascading effects on supply chains and public safety. The requirement for authentication limits exposure to some extent; however, insider threats or compromised credentials could facilitate attacks. The vulnerability’s impact on confidentiality, integrity, and availability is severe, as attackers could gain persistent footholds or disrupt system operations. Additionally, the scope change in the CVSS vector indicates that the vulnerability affects components beyond the initially vulnerable module, potentially impacting multiple systems or users within an organization.

1. Immediate patching or upgrading to a fixed version of Revolution Pi PiCtory once available from KUNBUS GmbH is the most effective mitigation. 2. Until patches are released, implement strict input validation and output encoding on all API endpoints handling filenames to neutralize script tags and other HTML elements. This can be done by deploying web application firewalls (WAFs) with custom rules to detect and block malicious payloads in filenames. 3. Restrict access to the PiCtory API endpoints to trusted networks and users, minimizing the attack surface. 4. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 5. Conduct regular security audits and monitoring of logs for unusual filename submissions or suspicious user activity. 6. Educate users about the risks of XSS and encourage cautious behavior when interacting with configuration file lists or web interfaces. 7. Employ Content Security Policy (CSP) headers on the web interface to limit the execution of unauthorized scripts in clients’ browsers. 8. Segment industrial networks to isolate critical control systems from general IT networks, reducing the impact of potential exploitation. These measures combined will reduce the likelihood and impact of exploitation until a vendor patch is available.