CVE-2025-61431 is a reflected cross-site scripting (XSS) vulnerability identified in the /jsp/gsfr_feditorHTML.jsp endpoint of Zucchetti ZMaintenance Infinity and Infinity Zucchetti versions 4.1 and earlier. The vulnerability arises from insufficient input sanitization of the pHtmlSource parameter, which allows an attacker to inject malicious JavaScript code that is then reflected back and executed in the victim's browser. This type of vulnerability is classified as reflected XSS, meaning the malicious payload is delivered via a crafted URL or HTTP request and executed immediately without persistent storage. The attack vector requires the victim to interact with a malicious link or manipulated web request, enabling the attacker to perform actions such as session hijacking, cookie theft, or executing arbitrary commands within the user's browser context. The vendor released a patch on June 18, 2025, addressing the input validation flaw. No public exploits have been reported to date, but the vulnerability remains critical due to its potential for abuse in social engineering attacks. The affected software, Zucchetti ZMaintenance Infinity, is a maintenance management solution widely used in industrial and enterprise environments, which could lead to operational disruptions if exploited. The lack of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics.

For European organizations, exploitation of this vulnerability could lead to significant confidentiality breaches, including theft of session tokens, user credentials, and sensitive operational data. Integrity could be compromised if attackers execute unauthorized actions on behalf of users, potentially affecting maintenance schedules or system configurations managed through the affected software. Availability impact is generally low for reflected XSS but could be indirectly affected if attackers leverage the vulnerability to deploy further attacks or disrupt user trust. Organizations in critical infrastructure, manufacturing, and enterprise sectors relying on Zucchetti ZMaintenance Infinity may face operational risks and reputational damage. The ease of exploitation—requiring only user interaction with a crafted URL—raises the likelihood of successful attacks, especially in environments with limited user awareness or insufficient web security controls. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, emphasizing the need for prompt remediation.

Organizations should immediately apply the vendor-released patch dated June 18, 2025, to remediate the vulnerability. In addition, implement strict input validation and output encoding on all user-supplied data, particularly parameters processed by web endpoints. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct user awareness training to recognize phishing attempts involving malicious URLs. Monitor web server logs for unusual requests targeting the /jsp/gsfr_feditorHTML.jsp endpoint and the pHtmlSource parameter. Use web application firewalls (WAFs) configured to detect and block reflected XSS payloads. Regularly audit and update all third-party software components to ensure timely application of security patches. Finally, implement multi-factor authentication to reduce the impact of credential theft resulting from XSS attacks.