CVE-2025-64984 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79, affecting Kaspersky Endpoint Security for Linux and Mac platforms. The vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts into the web interface responses. Specifically, versions of Kaspersky Endpoint Security for Linux with antivirus databases prior to 18.11.2025, Kaspersky Industrial CyberSecurity for Linux Nodes with similar database versions, and Kaspersky Endpoint Security for Mac versions 12.0.0.325, 12.1.0.553, and 12.2.0.694 with outdated antivirus databases are vulnerable. The attack vector involves reflected XSS, where an attacker crafts a malicious URL or payload that, when clicked by a user (typically via phishing), causes the victim's browser to execute arbitrary JavaScript code within the security product's web interface context. This can lead to session hijacking, unauthorized actions, or information disclosure. The vulnerability does not require authentication or privileges and has a CVSS 4.0 score of 5.1, reflecting medium severity. The scope is limited to the affected product versions and relies on user interaction (clicking a malicious link). No public exploits have been reported, but the risk is elevated due to the phishing attack vector. Kaspersky has released fixes, but patch links were not provided in the source data. The vulnerability underscores the critical need for proper input validation and output encoding in security product web interfaces to prevent injection attacks.

For European organizations, this vulnerability poses a moderate risk primarily through phishing campaigns targeting users of Kaspersky Endpoint Security on Linux and Mac. Successful exploitation could allow attackers to execute arbitrary scripts in the context of the security product's web interface, potentially leading to session hijacking, unauthorized configuration changes, or data leakage. This could undermine the security posture of affected endpoints, especially in environments relying heavily on Kaspersky products for endpoint protection. Industrial and critical infrastructure sectors using Kaspersky Industrial CyberSecurity for Linux Nodes are particularly at risk, as compromise could affect operational technology environments. The phishing vector increases the likelihood of targeted attacks against employees, potentially enabling lateral movement or privilege escalation. While no known exploits are currently active, the medium severity and ease of exploitation via phishing warrant proactive mitigation. The impact on confidentiality and integrity is moderate, with availability impact being low. Organizations could face regulatory scrutiny if data breaches occur due to exploitation of this vulnerability.

1. Immediately update Kaspersky Endpoint Security products to versions with antivirus databases dated 18.11.2025 or later to apply the official fix. 2. If immediate patching is not possible, implement web application firewall (WAF) rules to detect and block reflected XSS attack patterns targeting the security product's web interface. 3. Conduct targeted phishing awareness training for employees, emphasizing the risks of clicking unknown or suspicious links, especially those purporting to relate to security software. 4. Restrict access to the Kaspersky web interface to trusted networks or via VPN to reduce exposure to external phishing attempts. 5. Monitor logs for unusual web interface access patterns or suspicious URL parameters indicative of attempted XSS exploitation. 6. Employ Content Security Policy (CSP) headers if configurable on the affected web interfaces to limit script execution sources. 7. Coordinate with Kaspersky support for any additional hardening guidance or interim mitigations. 8. Review and tighten endpoint security policies to detect anomalous behavior that could result from exploitation. These steps go beyond generic advice by focusing on network-level controls, user training, and monitoring specific to the affected product's web interface.