CVE-2025-63735 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Ruckus Unleashed wireless access point firmware version 200.13.6.1.319. The vulnerability resides in the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp, specifically in the 'name' parameter, which does not properly sanitize user input. This allows an attacker to craft a malicious URL that, when visited by a user, causes the execution of arbitrary JavaScript in the victim's browser context. Because this is a reflected XSS, the malicious payload is part of the request and reflected in the response, requiring the victim to click a crafted link or be tricked into visiting a malicious site. The vulnerability does not require authentication (PR:N) but does require user interaction (UI:R). The scope is classified as changed (S:C) because the vulnerability affects the web interface of the device, potentially impacting the confidentiality and integrity of user sessions or data handled by the captive portal. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required, user interaction required, and partial impact on confidentiality and integrity but no impact on availability. There are no known exploits in the wild or official patches released at the time of publication. The vulnerability is categorized under CWE-79, which is a common web application security flaw related to improper input validation leading to XSS. This vulnerability could be leveraged to steal session cookies, perform phishing attacks, or execute malicious scripts in the context of the captive portal, potentially compromising user data or network access controls.

For European organizations, this vulnerability poses a moderate risk primarily to environments using Ruckus Unleashed access points with captive portals enabled, such as guest Wi-Fi networks in enterprises, hotels, or public venues. Successful exploitation could allow attackers to hijack user sessions, steal credentials, or conduct phishing attacks by injecting malicious scripts into the captive portal login process. This could lead to unauthorized network access or data leakage, impacting confidentiality and integrity. While availability is not affected, the trustworthiness of network access controls could be undermined. Organizations with high guest traffic or sensitive data passing through captive portals are at greater risk. The lack of authentication requirement means attackers can target any user accessing the captive portal, increasing the attack surface. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge. The vulnerability could also be leveraged in targeted attacks against high-value organizations or critical infrastructure providers in Europe that rely on Ruckus wireless solutions for secure guest access.

1. Implement strict input validation and output encoding on the captive portal web interface to sanitize the 'name' parameter and other user inputs, preventing script injection. 2. Disable the captive portal guest access feature if it is not required, reducing the attack surface. 3. Segment guest wireless networks from internal corporate networks to limit potential lateral movement if an attack occurs. 4. Monitor captive portal logs and network traffic for unusual or suspicious requests that may indicate attempted exploitation. 5. Educate users about the risks of clicking on unsolicited links, especially those leading to captive portals. 6. Apply any future patches or firmware updates from Ruckus promptly once available. 7. Consider deploying Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS) capable of detecting and blocking reflected XSS payloads targeting captive portals. 8. Conduct regular security assessments and penetration testing of wireless infrastructure to identify and remediate similar vulnerabilities proactively.