CVE-2025-64054 is a reflected Cross Site Scripting (XSS) vulnerability identified in Fanvil x210 VoIP phones running firmware version 2.12.20. The vulnerability resides in the web management interface, specifically the /cgi-bin/webconfig?page=upload&action=submit endpoint, which processes POST requests. An attacker can craft a malicious POST request that injects executable scripts, leading to reflected XSS. This can be leveraged to execute arbitrary commands on the device, potentially resulting in a denial of service or full compromise of the device. The vulnerability does not require prior authentication (PR:N) but does require user interaction (UI:R), such as tricking an administrator or user into visiting a malicious URL or submitting a crafted form. The vulnerability affects confidentiality, integrity, and availability (C:H/I:H/A:H) and has a CVSS v3.1 base score of 9.6, categorizing it as critical. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. No patches or updates have been released yet, and no active exploitation has been reported. The underlying weakness is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating insufficient input sanitization. Given the device's role in telephony infrastructure, exploitation could disrupt communications or allow attackers to intercept or manipulate voice traffic.

For European organizations, the impact of this vulnerability is significant due to the widespread use of Fanvil x210 VoIP phones in enterprise telephony systems. Successful exploitation could lead to denial of service, disrupting critical voice communications and impacting business operations. Additionally, arbitrary command execution could allow attackers to gain control over the device, potentially enabling interception of calls, unauthorized access to internal networks, or lateral movement within corporate environments. Confidentiality breaches could expose sensitive conversations or credentials. The critical severity and ease of exploitation without authentication increase the risk profile. Sectors such as finance, government, healthcare, and telecommunications, which rely heavily on secure and reliable voice communications, are particularly vulnerable. Disruption or compromise of telephony devices could also affect emergency response capabilities and regulatory compliance obligations under GDPR and other data protection laws.

1. Immediately restrict access to the web management interface of Fanvil x210 devices to trusted networks only, preferably via VPN or isolated management VLANs. 2. Disable web interface access if not required or limit it to specific IP addresses. 3. Implement strict input validation and sanitization at the network perimeter using web application firewalls (WAFs) to detect and block malicious POST requests targeting the vulnerable endpoint. 4. Monitor device logs and network traffic for unusual POST requests or signs of exploitation attempts. 5. Educate administrators and users about phishing and social engineering risks to prevent user interaction exploitation. 6. Regularly audit and update device firmware; coordinate with Fanvil for timely patch releases and apply them as soon as available. 7. Consider network segmentation to isolate VoIP devices from critical business systems to limit potential lateral movement. 8. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect XSS or command injection attempts against VoIP infrastructure.