CVE-2025-63834 is a stored cross-site scripting (XSS) vulnerability identified in the Tenda AC18 router firmware version v15.03.05.05_multi. The vulnerability resides in the handling of the ssid parameter within the wireless settings page of the router's web interface. Specifically, the router fails to properly sanitize or encode user-supplied input in the ssid field, allowing an attacker with low privileges (likely authenticated or with some access to the router's configuration interface) to inject malicious JavaScript payloads. These payloads are stored persistently and executed whenever any user visits the router's homepage, which is typically the router's administrative web interface. The attack vector is remote network-based, requiring the attacker to have network access to the router's management interface. Exploitation requires user interaction in the form of visiting the compromised router homepage, which could be performed by legitimate users or administrators. The vulnerability impacts confidentiality and integrity by enabling script execution that could steal credentials, hijack sessions, or perform unauthorized actions on behalf of the user. There is no direct impact on availability. The CVSS v3.1 score is 5.4 (medium), reflecting network attack vector, low attack complexity, low privileges required, user interaction required, and partial confidentiality and integrity impact. No known public exploits or patches are currently available, indicating a window of exposure. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of router management sessions. Attackers exploiting this flaw could execute malicious scripts in the context of the router's web interface, potentially stealing administrative credentials or manipulating router settings. This could lead to unauthorized network configuration changes, interception of network traffic, or pivoting attacks within the internal network. The impact is particularly relevant for small and medium enterprises (SMEs) and home office environments where Tenda AC18 routers are deployed and where router management interfaces may be accessible to multiple users or insufficiently secured. While the vulnerability does not directly affect availability, the compromise of router settings could indirectly disrupt network operations. The absence of known exploits reduces immediate risk, but the lack of patches means the vulnerability remains exploitable. European organizations with remote or local network access to these routers should consider this a significant security concern, especially in sectors with sensitive data or critical infrastructure.

1. Immediately restrict access to the router's web management interface by limiting it to trusted IP addresses or disabling remote management if not needed. 2. Enforce strong authentication mechanisms for router access, including complex passwords and, if supported, multi-factor authentication. 3. Monitor router logs and network traffic for unusual activity that could indicate exploitation attempts. 4. Educate users and administrators to avoid visiting the router's web interface from untrusted devices or networks. 5. Regularly check for firmware updates from Tenda and apply patches promptly once available. 6. If possible, replace vulnerable Tenda AC18 routers with models that have confirmed security updates or better security track records. 7. Implement network segmentation to isolate router management interfaces from general user networks. 8. Use web application firewalls or network intrusion detection systems to detect and block suspicious payloads targeting the router interface.