CVE-2025-57539 is a stored cross-site scripting (XSS) vulnerability identified in the U2F Origin field within the Datacenter configuration of Proxmox Virtual Environment (PVE) version 8.4. This vulnerability allows an authenticated user to inject malicious scripts into the U2F Origin field, which is then stored persistently in the system. When other users access the affected Web UI interface, the malicious payload is rendered without proper sanitization or encoding, leading to execution of arbitrary JavaScript code in the context of the victim's browser session. This can result in session hijacking, unauthorized actions performed on behalf of the victim, or other client-side attacks. The vulnerability requires the attacker to have authenticated access to the PVE Web UI, and user interaction is necessary for the payload to execute (i.e., viewing the infected page). The CVSS v3.1 base score is 5.4 (medium severity), reflecting the network attack vector, low attack complexity, privileges required (low), requirement for user interaction, and impact on confidentiality and integrity but not availability. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common XSS weakness. No public exploits or patches are currently known or linked, indicating it may be a recently disclosed issue. The vulnerability affects Proxmox VE 8.4, a widely used open-source virtualization management platform, which is often deployed in enterprise and data center environments for managing virtual machines and containers.

For European organizations, this vulnerability poses a moderate risk primarily in environments where Proxmox VE 8.4 is deployed for virtualization management. Successful exploitation could allow an attacker with legitimate access to inject malicious scripts that compromise the confidentiality and integrity of user sessions. This could lead to session hijacking, unauthorized administrative actions, or lateral movement within the infrastructure. Given that Proxmox VE is commonly used in data centers and enterprise IT environments across Europe, exploitation could disrupt management operations or lead to further compromise of virtualized workloads. The impact is heightened in organizations with multiple administrators or users accessing the Web UI, as the stored XSS payload can affect multiple victims. However, the requirement for authenticated access and user interaction limits the attack surface to insiders or compromised accounts, reducing the likelihood of widespread exploitation. Nonetheless, the vulnerability could be leveraged in targeted attacks against critical infrastructure or sensitive environments, potentially leading to data breaches or operational disruptions.

To mitigate this vulnerability, European organizations should: 1) Immediately review and restrict access to the Proxmox VE Web UI, ensuring that only trusted and necessary users have authenticated access, ideally through strong authentication mechanisms such as multi-factor authentication (MFA). 2) Implement strict input validation and output encoding controls on the U2F Origin field and other user input fields within the Proxmox VE Web UI to prevent injection of malicious scripts. Although no official patch is currently available, organizations should monitor Proxmox security advisories for updates and apply patches promptly once released. 3) Conduct regular audits of the Datacenter configuration fields, especially the U2F Origin entries, to detect and remove any suspicious or unexpected inputs. 4) Employ web application firewalls (WAFs) or security gateways capable of detecting and blocking XSS payloads targeting the management interface. 5) Educate administrators and users about the risks of stored XSS and encourage cautious behavior when interacting with the Web UI, including avoiding clicking on suspicious links or inputs. 6) Consider network segmentation to isolate the Proxmox management interface from general user networks, reducing exposure to potentially compromised accounts. These measures collectively reduce the risk of exploitation and limit the potential impact of this vulnerability.