CVE-2025-64054 is a reflected Cross Site Scripting (XSS) vulnerability identified in Fanvil x210 IP phones running firmware version 2.12.20. The vulnerability resides in the web management interface, specifically the /cgi-bin/webconfig?page=upload&action=submit endpoint, which processes POST requests. An attacker can craft a malicious POST request that injects executable script code, which the device improperly reflects back without adequate sanitization. This flaw can be exploited to cause a denial of service (DoS) by destabilizing the device or potentially escalate to arbitrary command execution, allowing an attacker to execute commands on the device remotely. The vulnerability does not require prior authentication, increasing its risk profile, and does not rely on stored XSS but reflected XSS, meaning the attack must be delivered via a crafted request that the victim or device processes. Although no public exploits have been reported yet, the nature of the flaw suggests that exploitation could lead to significant operational disruption or device compromise. The lack of a CVSS score indicates that the vulnerability is newly published and not yet fully assessed, but the technical details imply a serious security issue affecting device confidentiality, integrity, and availability. Fanvil x210 devices are widely used in enterprise telephony, making this vulnerability relevant to organizations relying on these devices for communication.

For European organizations, this vulnerability could lead to multiple adverse impacts. The denial of service potential could disrupt telephony services, affecting business communications and operational continuity. More critically, the possibility of arbitrary command execution could allow attackers to take control of affected devices, leading to interception or manipulation of voice communications, unauthorized access to internal networks, or use of compromised devices as pivot points for further attacks. Given that IP phones are often integrated into corporate networks, exploitation could undermine network security and data confidentiality. The lack of authentication requirement means attackers can attempt exploitation remotely, increasing the attack surface. Organizations in sectors with high reliance on secure communications, such as finance, government, and critical infrastructure, could face heightened risks. Additionally, the absence of known patches or exploits in the wild suggests a window of exposure until mitigations are applied.

To mitigate CVE-2025-64054, organizations should first verify if they use Fanvil x210 devices with firmware version 2.12.20. If so, they should immediately check for firmware updates or patches from Fanvil addressing this vulnerability and apply them promptly. In the absence of official patches, network-level protections should be implemented, such as web application firewalls (WAFs) configured to detect and block malicious POST requests targeting the /cgi-bin/webconfig endpoint. Network segmentation can limit exposure of IP phones to untrusted networks. Administrators should disable remote web management access where possible or restrict it via VPN or IP whitelisting. Monitoring network traffic for unusual POST requests and anomalous device behavior can help detect exploitation attempts. Regular security assessments and penetration testing focusing on IP phone infrastructure are recommended. Finally, educating staff about the risks of interacting with suspicious links or requests related to telephony devices can reduce the likelihood of successful attacks.