CVE-2025-50975 is a stored Cross-Site Scripting (XSS) vulnerability affecting the web-based firewall interface of IPFire version 2.29, specifically within the firewall.cgi component. The vulnerability arises because the application fails to properly sanitize multiple rule parameters including PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr. An authenticated administrator with high-privilege GUI access can inject persistent JavaScript payloads into these parameters. These malicious scripts are then stored and executed whenever another administrator views the firewall rules page. This stored XSS attack vector enables session hijacking, unauthorized actions within the firewall interface, and potential internal pivoting to other systems within the network. The attack complexity is low since it only requires authenticated access to the administrative GUI, which is typically restricted to trusted personnel. However, the impact is significant because the firewall interface controls critical network security policies. Exploitation does not require external unauthenticated access but leverages trusted administrator credentials, making insider threat or compromised admin accounts the primary risk vectors. No CVSS score is assigned yet, and no known exploits in the wild have been reported as of the publication date (August 26, 2025). The vulnerability highlights insufficient input validation and output encoding in the firewall management interface, a common web security weakness that can lead to privilege escalation and lateral movement within protected environments.

For European organizations, the impact of CVE-2025-50975 can be substantial. IPFire is an open-source firewall solution used by small to medium enterprises and some public sector entities across Europe. Successful exploitation allows an attacker with admin GUI access to hijack sessions of other administrators, potentially gaining full control over firewall configurations. This can lead to unauthorized rule changes, disabling security controls, or creating backdoors for further network compromise. The persistent nature of the XSS payload means multiple administrators can be affected over time, increasing the risk of widespread internal compromise. Given the firewall’s role in protecting network boundaries, this vulnerability could facilitate data exfiltration, disruption of services, or lateral movement to critical infrastructure. European organizations with strict data protection regulations (e.g., GDPR) may face compliance risks if such an incident leads to data breaches. Additionally, the vulnerability could be exploited in targeted attacks against government agencies, critical infrastructure providers, or enterprises relying on IPFire, amplifying geopolitical risks in the region.

To mitigate CVE-2025-50975, organizations should: 1) Immediately restrict administrative GUI access to the minimum necessary personnel and enforce strong multi-factor authentication to reduce the risk of credential compromise. 2) Apply any available patches or updates from the IPFire project as soon as they are released; if no patch is currently available, monitor official channels closely. 3) Implement strict input validation and output encoding on all firewall rule parameters within the administrative interface to prevent injection of malicious scripts. 4) Conduct regular audits of firewall rules and administrative actions to detect suspicious modifications or injected payloads. 5) Use network segmentation and monitoring to detect unusual lateral movement or privilege escalation attempts originating from firewall management hosts. 6) Educate administrators about the risks of stored XSS and encourage safe handling of firewall configurations. 7) Consider deploying Web Application Firewalls (WAFs) or Content Security Policy (CSP) headers to limit the impact of injected scripts within the management interface. These measures go beyond generic advice by focusing on reducing attack surface, monitoring for exploitation signs, and hardening the specific vulnerable interface.