CVE-2025-63735 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Ruckus Unleashed wireless access point firmware version 200.13.6.1.319. The vulnerability exists in the captive portal endpoint selfguestpass/guestAccessSubmit.jsp, specifically via the 'name' parameter. Reflected XSS occurs when malicious input sent by an attacker is immediately reflected in the server's response without proper sanitization or encoding, allowing the execution of arbitrary JavaScript in the context of the victim's browser. This can lead to various attack scenarios including session hijacking, theft of cookies or credentials, defacement, or redirection to malicious websites. The vulnerability does not require authentication, making it accessible to unauthenticated attackers who can lure victims into clicking crafted URLs. Although no public exploits have been reported yet, the presence of this vulnerability in a captive portal—a common feature in guest Wi-Fi networks—raises concerns about the security of users connecting to such networks. The lack of a CVSS score indicates that the vulnerability is newly published and pending further assessment. The absence of patches at the time of publication suggests that users should apply interim mitigations. Given the widespread use of Ruckus Unleashed devices in enterprise and public Wi-Fi deployments, this vulnerability could be leveraged to compromise user trust and network security.

For European organizations, this vulnerability could lead to significant risks, especially in sectors relying on guest Wi-Fi access such as hospitality, education, healthcare, and retail. Attackers exploiting this XSS flaw could steal session cookies or credentials from users accessing captive portals, potentially gaining unauthorized access to internal resources or sensitive data. The reflected nature of the XSS means attackers must trick users into clicking malicious links, but given the captive portal context, this could be facilitated through phishing or social engineering. Compromise of guest networks could also serve as a pivot point for further attacks within organizational networks if segmentation is weak. Additionally, reputational damage and regulatory consequences under GDPR may arise if personal data is exposed or compromised. The vulnerability could disrupt availability if exploited to inject scripts that cause denial of service or degrade user experience on captive portals.

Organizations should monitor Ruckus communications for official patches addressing CVE-2025-63735 and apply them promptly once available. In the interim, administrators should restrict access to the captive portal interface to trusted networks or implement network segmentation to isolate guest traffic from sensitive internal systems. Web application firewalls (WAFs) can be configured to detect and block malicious input patterns targeting the 'name' parameter. Input validation and output encoding should be enforced on the captive portal endpoint to prevent script injection. Educating users about the risks of clicking unknown links in guest Wi-Fi environments can reduce successful exploitation. Logging and monitoring of captive portal access should be enhanced to detect suspicious activity. Finally, consider disabling the captive portal feature temporarily if it is not essential or replacing it with more secure authentication mechanisms.