CVE-2025-36558 is a cross-site scripting (XSS) vulnerability identified in KUNBUS GmbH's Revolution Pi PiCtory product, specifically affecting versions 2.11.1 and earlier. The vulnerability arises from improper handling of the sso_token parameter used for authentication. An attacker can craft a malicious PiCtory URL embedding an HTML script within the sso_token parameter. When a user accesses this URL, the embedded script is executed in the context of the user's browser session. This vulnerability is classified under CWE-97 (Improper Neutralization of Script-Related HTML Tags in a Web Page), indicating that the application fails to sanitize or encode user-supplied input correctly before rendering it in the web interface. The CVSS v3.1 base score is 6.1 (medium severity), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This means the attack can be launched remotely over the network without privileges, requires low attack complexity, no prior authentication, but does require user interaction (clicking the malicious link). The vulnerability impacts confidentiality and integrity by potentially allowing attackers to steal session tokens, perform actions on behalf of the user, or manipulate displayed content. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is relevant to industrial control systems environments where Revolution Pi PiCtory is deployed for managing or monitoring industrial automation devices.

For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors using Revolution Pi PiCtory, this vulnerability poses a risk of session hijacking, credential theft, and unauthorized actions via XSS attacks. Attackers could exploit this to gain access to sensitive operational data or manipulate control interfaces, potentially disrupting industrial processes or causing data breaches. Given the scope change, the impact could extend beyond the web interface to other integrated systems or services. Confidentiality and integrity of operational data are at risk, though availability is not directly impacted. The requirement for user interaction means phishing or social engineering campaigns could be used to deliver the malicious URL. The medium CVSS score reflects moderate risk, but in industrial contexts, even moderate vulnerabilities can have outsized consequences due to the critical nature of the systems involved.

1. Immediate mitigation should include educating users to avoid clicking on suspicious or unsolicited PiCtory URLs, especially those containing unusual sso_token parameters. 2. Implement strict input validation and output encoding on the sso_token parameter to neutralize any embedded scripts. This includes applying context-aware encoding (e.g., HTML entity encoding) before rendering user-supplied tokens. 3. Deploy web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the sso_token parameter. 4. Monitor logs for unusual URL access patterns or repeated attempts to inject scripts via sso_token. 5. Segregate the PiCtory management interface from broader corporate networks to limit exposure. 6. Once available, promptly apply official patches or updates from KUNBUS GmbH addressing this vulnerability. 7. Consider implementing Content Security Policy (CSP) headers to restrict script execution sources in the PiCtory web interface. 8. Conduct regular security assessments and penetration tests focusing on web interface vulnerabilities to detect similar issues proactively.