CVE-2025-4860 is a cross-site scripting (XSS) vulnerability identified in the D-Link DAP-2695 wireless access point, specifically affecting the Static Pool Settings Page implemented in the /adv_dhcps.php file. The vulnerability arises from improper sanitization of the 'f_mac' parameter, which can be manipulated remotely by an attacker to inject malicious scripts. This vulnerability is classified as problematic and has a CVSS 4.8 (medium) score. The attack vector is network-based (AV:N), requiring no privileges (PR:H indicates high privileges, but the vector states no privileges needed, so there is some inconsistency; however, the description states remote exploitation is possible), no user interaction, and impacts the integrity slightly (VI:L) but not confidentiality or availability. The product version affected is 120b36r137_ALL_en_20210528, and importantly, this device is no longer supported by the vendor, meaning no official patches or updates are available. The exploit has been publicly disclosed, increasing the risk of exploitation, although no known exploits in the wild have been reported yet. Given the nature of XSS, an attacker could leverage this vulnerability to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, credential theft, or further network attacks if administrative interfaces are accessed through the vulnerable device. The lack of vendor support exacerbates the risk as no remediation is forthcoming, and organizations must rely on compensating controls or device replacement.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on the D-Link DAP-2695 access points in their network infrastructure. XSS vulnerabilities can lead to unauthorized access to administrative interfaces, theft of credentials, or execution of malicious scripts that compromise network security. Since the device is an access point, it often serves as a gateway for wireless clients, meaning that exploitation could facilitate lateral movement within the network or interception of sensitive data. The absence of vendor support means that organizations cannot apply official patches, increasing the risk of persistent exploitation. This is particularly critical for sectors with strict data protection requirements under GDPR, as exploitation could lead to data breaches and regulatory penalties. Additionally, the public disclosure of the exploit code may attract attackers targeting European entities, especially those in critical infrastructure, government, or enterprises with large wireless deployments using this device.

Given the lack of official patches, European organizations should prioritize the following mitigations: 1) Immediate inventory and identification of all D-Link DAP-2695 devices in their environment. 2) Segmentation of networks to isolate vulnerable devices from sensitive systems and limit access to the device management interfaces to trusted administrators only, preferably via VPN or secure management VLANs. 3) Disable remote management features if not required, or restrict management access to specific IP addresses. 4) Implement web application firewalls (WAFs) or intrusion prevention systems (IPS) that can detect and block XSS attack patterns targeting the vulnerable parameter. 5) Monitor network traffic and device logs for unusual activity indicative of exploitation attempts. 6) Plan and execute device replacement with supported hardware that receives timely security updates. 7) Educate administrators about the risks of XSS and ensure strong authentication and session management practices are in place to reduce the impact of potential attacks.