CVE-2025-4858 is a cross-site scripting (XSS) vulnerability identified in the D-Link DAP-2695 wireless access point, specifically in the ARP Spoofing Prevention page located at /adv_arpspoofing.php. The vulnerability arises from improper sanitization of the 'harp_mac' parameter, which can be manipulated by an attacker to inject malicious scripts. This vulnerability is remotely exploitable without requiring authentication, although it does require user interaction to trigger the malicious payload. The affected firmware version is 120b36r137_ALL_en_20210528, and the product is no longer supported by D-Link, meaning no official patches or updates are available. The CVSS v4.0 base score is 4.8, indicating a medium severity level. The vulnerability impacts the confidentiality and integrity of the affected device's web interface by potentially allowing attackers to execute arbitrary scripts in the context of the victim's browser session. While no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation. Other parameters on the same page might also be vulnerable, suggesting a broader input validation issue within the ARP Spoofing Prevention component. Given the device's role as a network access point, successful exploitation could facilitate further network reconnaissance or pivoting attacks within the local network environment.

For European organizations using the D-Link DAP-2695 access points, this vulnerability poses a moderate risk. Exploitation could allow attackers to execute malicious scripts in the context of the device's management interface, potentially leading to session hijacking, theft of administrative credentials, or unauthorized changes to device configuration. This could compromise network security, enabling attackers to intercept or redirect traffic via ARP spoofing or other man-in-the-middle techniques. Since the device is no longer supported, organizations cannot rely on vendor patches, increasing the risk of persistent exposure. The impact is particularly significant for organizations with critical network infrastructure relying on these devices, such as small to medium enterprises, educational institutions, or public sector entities in Europe. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within internal networks, threatening confidentiality and integrity of sensitive data. However, the requirement for user interaction and the medium CVSS score suggest that exploitation is not trivial, limiting the scope of immediate widespread impact.

Given the lack of vendor support and absence of official patches, European organizations should prioritize the following mitigations: 1) Immediate replacement or decommissioning of D-Link DAP-2695 devices with unsupported firmware versions, migrating to currently supported and patched hardware. 2) If replacement is not immediately feasible, restrict access to the device's management interface by limiting it to trusted internal networks and implementing network segmentation to isolate the device from general user traffic. 3) Employ web application firewalls (WAFs) or intrusion prevention systems (IPS) capable of detecting and blocking XSS attack patterns targeting the ARP Spoofing Prevention page. 4) Conduct regular network monitoring and log analysis to detect suspicious activities indicative of exploitation attempts. 5) Educate network administrators and users about the risks of interacting with untrusted links or interfaces related to network devices. 6) Consider deploying endpoint security solutions that can detect and prevent execution of malicious scripts resulting from XSS attacks. These steps collectively reduce the attack surface and mitigate the risk posed by this vulnerability in the absence of a direct patch.