CVE-2025-63354 is a stored cross-site scripting (XSS) vulnerability identified in the Hitron HI3120 router firmware version 7.2.4.5.2b1. The vulnerability arises from improper input handling in the Parental Control feature, specifically when creating new filters. Attackers can inject malicious JavaScript code that is stored persistently on the device and executed whenever the affected web interface page is accessed. This stored XSS flaw allows attackers to execute arbitrary scripts in the context of the device’s management interface, potentially leading to session hijacking, credential theft, or unauthorized configuration changes. The vulnerability does not require authentication, increasing its risk profile by allowing remote exploitation without prior access. Although no public exploits have been reported yet, the flaw’s presence in a widely deployed router model used in home and small business environments makes it a significant concern. The lack of an official CVSS score complicates risk assessment, but the vulnerability’s characteristics suggest a high severity level. The device’s role as a network gateway means exploitation could impact network confidentiality, integrity, and availability. The absence of vendor patches at the time of reporting necessitates immediate mitigation through access restrictions and monitoring. This vulnerability highlights the importance of secure input validation in embedded device web interfaces and the risks posed by persistent XSS in network infrastructure devices.

For European organizations, exploitation of CVE-2025-63354 could lead to unauthorized access to router management interfaces, enabling attackers to alter network configurations, intercept or redirect traffic, and compromise connected devices. The persistent nature of the stored XSS increases the risk of ongoing exploitation and lateral movement within networks. Confidentiality is at risk due to potential credential theft and session hijacking, while integrity and availability could be affected if attackers modify device settings or disrupt network operations. Small and medium enterprises relying on Hitron HI3120 routers for internet access and parental controls are particularly vulnerable. The impact extends beyond individual devices, as compromised routers can serve as footholds for broader network attacks. Given the lack of authentication requirements for exploitation, the threat surface is broad, increasing the likelihood of successful attacks. The absence of known exploits currently limits immediate risk but does not diminish the potential severity if weaponized. European organizations should consider this vulnerability a serious threat to network security and operational continuity.

1. Immediately restrict access to the Hitron HI3120 management interface by limiting it to trusted internal networks and disabling remote management where possible. 2. Implement network segmentation to isolate vulnerable devices from critical infrastructure and sensitive data environments. 3. Monitor router logs and network traffic for unusual activity indicative of exploitation attempts. 4. Apply vendor firmware updates or patches as soon as they become available to address the vulnerability directly. 5. Employ web application firewalls (WAFs) or intrusion prevention systems (IPS) capable of detecting and blocking XSS payloads targeting router interfaces. 6. Educate users and administrators about the risks of stored XSS and the importance of cautious input handling in device configurations. 7. Conduct regular security assessments and penetration tests focusing on router and IoT device interfaces to identify similar vulnerabilities. 8. Consider replacing or upgrading devices that no longer receive security updates or have known unpatched vulnerabilities. These measures, combined, reduce the attack surface and mitigate the risk of exploitation until a permanent fix is deployed.