CVE-2025-50975 is a stored Cross-Site Scripting (XSS) vulnerability affecting the IPFire 2.29 web-based firewall interface, specifically the firewall.cgi component. The vulnerability arises because several rule parameters—such as PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr—are not properly sanitized. An authenticated administrator with high privileges can inject persistent JavaScript payloads into these parameters. When another administrator subsequently views the firewall rules page, the malicious script executes in their browser context. This can lead to session hijacking, unauthorized actions within the firewall management interface, or further internal network pivoting. The attack complexity is low, requiring only authenticated high-privilege GUI access and no additional user interaction beyond viewing the affected page. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), and has a CVSS v3.1 base score of 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, and user interaction. No public exploits are currently known, and no patches have been linked yet. The vulnerability impacts confidentiality and integrity by enabling session hijacking and unauthorized administrative actions, but does not affect availability directly. The scope is limited to administrators with GUI access, but the stored nature of the XSS means multiple admins can be compromised once the payload is injected.

For European organizations using IPFire 2.29 as their firewall solution, this vulnerability poses a significant risk to the security of their network perimeter management. Since firewall configurations are critical to controlling traffic and enforcing security policies, unauthorized actions or session hijacking of administrators could lead to misconfigurations, exposure of internal networks, or creation of backdoors. The persistent XSS can facilitate lateral movement within the administrative domain, potentially compromising multiple administrators and increasing the attack surface. Given that IPFire is often deployed in small to medium enterprises and some public sector environments in Europe, the impact could be substantial in organizations relying on this product for perimeter defense. Confidentiality of administrative sessions and integrity of firewall rules are at risk, which could cascade into broader network compromises. However, the requirement for authenticated high-privilege access limits exploitation to insider threats or attackers who have already gained administrative credentials, reducing the risk of external remote exploitation without prior access.

Organizations should immediately audit their IPFire 2.29 deployments and restrict administrative GUI access to trusted personnel and secure networks. Implement strict access controls and multi-factor authentication (MFA) for all firewall administrators to reduce the risk of credential compromise. Monitor firewall rule changes and administrative sessions for suspicious activity indicative of XSS exploitation or unauthorized modifications. Until an official patch is released, consider isolating the firewall management interface from general network access, for example by using VPNs or jump hosts with strong authentication. Educate administrators about the risks of stored XSS and encourage them to avoid clicking on suspicious links or entering untrusted data into firewall rule parameters. Additionally, organizations can implement Content Security Policy (CSP) headers on the firewall web interface if possible to mitigate the impact of injected scripts. Regularly check for updates from IPFire and apply patches promptly once available.