CVE-2025-4859 is a cross-site scripting (XSS) vulnerability identified in the D-Link DAP-2695 wireless access point, specifically affecting firmware version 120b36r137_ALL_en_20210528. The vulnerability resides in the MAC Bypass Settings Page, particularly in the processing of the 'f_mac' parameter within the /adv_macbypass.php file. An attacker can manipulate this parameter to inject malicious scripts that execute in the context of the victim's browser. This vulnerability is remotely exploitable without authentication, although it requires user interaction (e.g., the victim visiting a crafted URL or interface). The vulnerability has been publicly disclosed, but no known exploits are currently observed in the wild. Importantly, the affected product is no longer supported by D-Link, meaning no official patches or updates are available to remediate this issue. The CVSS v4.0 base score is 4.8, indicating a medium severity level. The attack vector is network-based with low attack complexity, no privileges required, but user interaction is necessary. The impact primarily affects the integrity of the victim's browsing session, potentially allowing attackers to steal session cookies, perform actions on behalf of the user, or conduct phishing attacks within the device's management interface. Other parameters in the same component may also be vulnerable, suggesting a broader issue with input validation in the MAC Bypass Settings Page. Since the device is an access point, exploitation could lead to compromise of network management interfaces, potentially facilitating further network intrusion or lateral movement if administrative credentials are stolen or sessions hijacked.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on the D-Link DAP-2695 access points in their network infrastructure. Successful exploitation could allow attackers to execute malicious scripts in the context of network administrators or users managing the device, leading to credential theft, unauthorized configuration changes, or network reconnaissance. This could degrade network integrity and availability, potentially disrupting business operations. Since the device is no longer supported, organizations cannot rely on vendor patches, increasing the risk of persistent exposure. Additionally, if attackers leverage this vulnerability as an initial foothold, they may pivot to other critical systems within the network. The requirement for user interaction limits mass exploitation but targeted attacks against network administrators or IT personnel remain a concern. Given the widespread use of D-Link networking equipment in small and medium enterprises across Europe, this vulnerability poses a moderate risk to organizations that have not replaced or isolated these legacy devices.

Given the lack of vendor support and absence of patches, European organizations should prioritize the following mitigations: 1) Immediate replacement or segmentation of affected DAP-2695 devices to isolate them from critical network segments and administrative workstations. 2) Restrict access to the device management interface to trusted IP addresses and enforce strong network-level access controls such as VPNs or jump hosts. 3) Disable or restrict the MAC Bypass Settings Page functionality if possible, or disable web management interfaces when not in use. 4) Implement strict input validation and Content Security Policy (CSP) on any custom management portals that interact with these devices, if applicable. 5) Educate network administrators about the risk of phishing or social engineering attacks that could trigger the XSS vulnerability. 6) Monitor network traffic and logs for suspicious activity related to the device management interface. 7) Plan for device lifecycle management to avoid continued use of unsupported hardware with known vulnerabilities.