CVE-2025-65231 identifies a stored Cross Site Scripting (XSS) vulnerability in Barix Instreamer devices running firmware version v04.06 and earlier. The vulnerability resides in the Web UI’s I/O & Serial configuration page, specifically in the CTS close command user-input field. When a user inputs malicious JavaScript code into this field, the input is stored persistently and later rendered unsanitized on the Status page of the device’s web interface. This lack of input validation and output encoding allows an attacker with access to the configuration page to inject scripts that execute in the context of any user viewing the Status page. Such execution can lead to theft of session cookies, enabling session hijacking, unauthorized command execution on the device via the web interface, or redirection to malicious sites. The vulnerability requires the attacker to have authenticated access to the device’s web UI to input the malicious payload, limiting exploitation to insiders or attackers who have compromised credentials. No CVSS score has been assigned yet, and no patches or exploit code are currently publicly available. Barix Instreamer devices are commonly used in audio streaming and industrial control environments, making this vulnerability relevant for organizations relying on these devices for critical infrastructure. The stored XSS nature means the malicious script persists across sessions and can affect multiple users who access the Status page. The vulnerability highlights insufficient input sanitization and output encoding in the device’s web management interface, a common security oversight in embedded device firmware.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of device management sessions. An attacker exploiting this stored XSS could hijack authenticated sessions, potentially gaining unauthorized control over the device’s configuration or disrupting audio streaming services. This could lead to operational disruptions in broadcast, industrial automation, or public announcement systems relying on Barix Instreamer devices. While the vulnerability does not directly impact device availability, unauthorized configuration changes could indirectly cause service interruptions. The requirement for authenticated access limits the threat to insiders or attackers who have obtained credentials through phishing or other means. However, given the persistence of the stored XSS payload, multiple users accessing the Status page could be affected, increasing the scope of impact. European organizations with critical infrastructure using these devices should consider the potential for targeted attacks aiming to disrupt services or gain footholds within operational technology environments.

To mitigate this vulnerability, organizations should first identify all Barix Instreamer devices running firmware version v04.06 or earlier. Since no official patches are currently available, immediate mitigation includes restricting access to the device’s web interface to trusted networks and users only, employing strong authentication mechanisms, and monitoring for unusual configuration changes. Network segmentation should isolate these devices from general IT networks to reduce exposure. Administrators should avoid entering untrusted input into the CTS close command field and educate users about the risks of stored XSS. Implementing web application firewalls (WAFs) that can detect and block XSS payloads may provide additional protection. Once Barix releases a firmware update addressing this vulnerability, organizations must prioritize timely patching. Additionally, auditing device logs and monitoring for signs of session hijacking or unauthorized access can help detect exploitation attempts early.