CVE-2025-41021 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability identified in Sergestec's SISTICK product, specifically affecting Exito version 7.2. The vulnerability stems from improper neutralization of user input during web page generation, classified under CWE-79. The issue occurs in the /admin/index.php?action=product_update endpoint, where the 'obs' parameter is not properly validated or sanitized when received via a POST request. This allows an authenticated attacker to inject malicious JavaScript code that gets stored on the server and subsequently executed in the browsers of other authenticated users who access the affected page. Exploitation does not require elevated privileges beyond authentication, but does require user interaction (the victim must visit the affected page). The impact includes theft of session cookies, which can lead to session hijacking, unauthorized actions, and potential compromise of sensitive data within the application. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction required (UI:P), and limited scope and impact on confidentiality, integrity, and availability. No patches have been published yet, and no known exploits are currently in the wild. The vulnerability was reserved in April 2025 and published in October 2025 by INCIBE, highlighting its recent discovery. Given the nature of stored XSS, the risk is significant in environments where multiple users have administrative or privileged access to the affected system.

For European organizations, the impact of CVE-2025-41021 can be considerable, especially for those using Sergestec SISTICK Exito v7.2 in administrative or sensitive environments. Successful exploitation could lead to session hijacking of authenticated users, enabling attackers to perform unauthorized actions, access confidential information, or disrupt business operations. This is particularly critical for sectors such as government, defense, critical infrastructure, and enterprises handling sensitive personal or financial data. The vulnerability could facilitate lateral movement within networks if attackers leverage stolen sessions to escalate privileges or access other systems. Additionally, reputational damage and regulatory penalties under GDPR could arise if personal data is compromised. The medium severity score reflects moderate risk, but the stored nature of the XSS increases potential impact due to persistent malicious payloads affecting multiple users over time.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the /admin/index.php?action=product_update endpoint to only trusted and necessary users via network segmentation and access control lists; 2) Enforcing strict authentication and session management policies, including multi-factor authentication (MFA) for all administrative users; 3) Implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts; 4) Conducting thorough input validation and output encoding on the 'obs' parameter at the application or web server level, if possible through custom WAF (Web Application Firewall) rules; 5) Monitoring logs for unusual POST requests or suspicious activity targeting the vulnerable endpoint; 6) Educating users about the risks of clicking on untrusted links that may trigger stored XSS payloads; 7) Planning for rapid deployment of patches once Sergestec releases an official fix; 8) Regularly reviewing and updating security controls around the affected product. These steps will reduce the attack surface and limit the potential for exploitation until a permanent fix is available.