CVE-2025-5990 is a high-severity stored Cross-Site Scripting (XSS) vulnerability affecting Arcadia Technology, LLC's Crafty Controller product versions 4.2.2, 4.3.0, and 4.4.0. The vulnerability arises from improper neutralization of user input in the Server Name and API Key form components. Specifically, the application fails to adequately sanitize or encode input fields before rendering them in web pages, allowing a remote attacker with authenticated access to inject malicious scripts that are persistently stored and executed in the context of other users or administrators viewing the affected pages. The CVSS 3.1 score of 7.6 reflects the vulnerability's characteristics: it can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requires privileges (PR:L) and user interaction (UI:R), but impacts confidentiality (C:H) severely while having limited impact on integrity (I:L) and no impact on availability (A:N). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable module. Although no known exploits are currently reported in the wild, the nature of stored XSS vulnerabilities makes this a significant risk, especially in environments where multiple users access the Crafty Controller interface. Attackers can leverage this vulnerability to steal session tokens, perform actions on behalf of users, or pivot to further attacks within the network. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies.

For European organizations using Crafty Controller versions 4.2.2, 4.3.0, or 4.4.0, this vulnerability poses a substantial risk to the confidentiality of sensitive information managed through the platform. Since the vulnerability allows stored XSS, attackers can execute arbitrary JavaScript in the context of authenticated users, potentially leading to session hijacking, credential theft, or unauthorized actions. This is particularly critical for organizations in sectors such as industrial automation, smart building management, or IoT device orchestration where Crafty Controller is deployed. The integrity impact is limited but still present, as attackers might manipulate displayed data or user interface elements. Availability is not directly affected, but successful exploitation could lead to indirect denial of service through compromised user accounts or administrative lockouts. The requirement for authenticated access and user interaction reduces the attack surface but does not eliminate risk, especially in environments with many users or where phishing/social engineering can be used to trick users into triggering the payload. European organizations with strict data protection regulations (e.g., GDPR) may face compliance risks if exploitation leads to data breaches. Furthermore, the scope change indicates that the vulnerability could affect multiple components or modules, increasing the potential reach within affected systems.

1. Immediate mitigation should include restricting access to the Crafty Controller interface to trusted networks and users, minimizing the number of accounts with privileges to input data into the vulnerable forms. 2. Implement strict input validation and output encoding on the Server Name and API Key fields at the application or web server level as a temporary measure, for example by deploying a Web Application Firewall (WAF) with custom rules to detect and block typical XSS payloads targeting these inputs. 3. Educate users and administrators about the risk of phishing and social engineering that could lead to triggering stored XSS payloads, emphasizing caution when interacting with unexpected or suspicious inputs. 4. Monitor logs and user activity for unusual behavior that could indicate exploitation attempts, such as unexpected script execution or anomalous API key changes. 5. Coordinate with Arcadia Technology, LLC to obtain patches or updates as soon as they become available, and prioritize timely application of these patches. 6. Consider implementing Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. 7. Conduct a thorough review of user privileges and remove unnecessary authenticated access to reduce the attack surface. 8. If feasible, isolate the Crafty Controller environment from critical networks until the vulnerability is remediated.