CVE-2025-44206 is a Cross Site Scripting (XSS) vulnerability affecting Hexagon HxGN OnCall Dispatch Advantage (Web) version 10.2309.03.00264 and the Mobile version 10.2402. This vulnerability allows a remote attacker who is authenticated and has access to the Broadcast (Person) functionality within the application to execute arbitrary code in the context of the victim's browser. The vulnerability arises due to insufficient input sanitization or output encoding in the Broadcast feature, enabling injection of malicious scripts. Exploitation requires the attacker to have legitimate credentials with privileges to use the Broadcast functionality, and the victim must interact with the maliciously crafted content, as user interaction is required to trigger the XSS payload. The CVSS v3.1 base score is 4.6, indicating a medium severity level, with attack vector being network (remote), low attack complexity, requiring privileges, and user interaction. The impact includes limited confidentiality and integrity compromise, as the attacker can execute scripts that may steal session tokens, manipulate displayed data, or perform actions on behalf of the user within the application context. Availability impact is not indicated. No known exploits in the wild have been reported to date. The vulnerability affects versions specified but no patch links are currently available, suggesting that mitigation may rely on configuration or access control until a fix is released.

For European organizations using Hexagon HxGN OnCall Dispatch Advantage, particularly those in emergency services, public safety, or critical infrastructure sectors, this vulnerability poses a risk of unauthorized code execution within user sessions. An attacker with valid credentials could leverage this flaw to hijack user sessions, manipulate dispatch communications, or inject misleading information, potentially disrupting operational workflows. Although the impact on confidentiality and integrity is limited, the ability to execute arbitrary scripts could facilitate further attacks such as phishing, credential theft, or lateral movement within the network. Given the nature of the product—used for dispatch and communication—any compromise could degrade trust in communication channels and delay critical response times. The requirement for authentication and user interaction limits the attack surface but does not eliminate risk, especially in environments with many users or where credential compromise is possible. The absence of known exploits reduces immediate threat but vigilance is warranted.

1. Restrict access to the Broadcast (Person) functionality strictly to trusted and necessary personnel, minimizing the number of users who can exploit this vulnerability. 2. Implement strict input validation and output encoding on all user-supplied data related to the Broadcast feature, if possible via configuration or custom filters until a vendor patch is available. 3. Enforce multi-factor authentication (MFA) for all users to reduce the risk of credential compromise. 4. Monitor user activity logs for unusual behavior related to the Broadcast functionality, such as unexpected message content or scripting elements. 5. Educate users to be cautious when interacting with broadcast messages, especially those containing links or unexpected content. 6. Apply network segmentation to isolate dispatch systems from general corporate networks to limit lateral movement in case of compromise. 7. Stay in contact with Hexagon for timely updates and apply patches immediately once released. 8. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block typical XSS payloads targeting the Broadcast functionality.