CVE-2025-65289 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Mercury MR816v2 router's management interface (firmware version 4.8.7 Build 110427 Rel 36550n). The vulnerability arises because the router's management UI accepts and stores hostnames submitted via DHCP without proper input sanitization or output encoding. An attacker connected to the local area network (LAN) can submit a maliciously crafted hostname containing JavaScript code. This code is stored persistently and later executed in the context of the administrator's browser when the management interface displays the hostname, such as during DHCP release or renew operations. The router employs weak/basic authentication mechanisms and does not adequately protect or isolate session tokens, enabling the attacker to steal the administrator's session cookie or token. With the stolen session, the attacker can perform administrative actions on the router, potentially altering configurations, redirecting traffic, or disabling security features. The vulnerability does not require user interaction or prior privileges but does require LAN access, limiting remote exploitation. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) indicates that the attack can be performed over the local network with low attack complexity, no privileges, and no user interaction, and it impacts confidentiality and integrity with a scope change. No patches or official fixes have been released yet, and no known exploits are reported in the wild. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

For European organizations, this vulnerability poses a significant risk to network infrastructure security, particularly for those using Mercury MR816v2 routers in their internal networks. Successful exploitation can lead to unauthorized administrative control over the router, allowing attackers to modify network configurations, intercept or redirect traffic, and disable security controls. This compromises the confidentiality and integrity of network communications and can facilitate further lateral movement or data exfiltration within the organization. The requirement for LAN access means that attackers must already have some foothold inside the network or physical access, which is common in environments with inadequate network segmentation or guest network controls. The weak authentication and session management exacerbate the risk by making session hijacking feasible. Given the critical role routers play in network security, this vulnerability could disrupt business operations and expose sensitive data. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, are particularly vulnerable to reputational and regulatory consequences if exploited.

1. Immediately restrict access to the router's management interface to trusted administrative hosts only, using VLAN segmentation or firewall rules to isolate the management network from general LAN access. 2. Disable DHCP hostname submission from untrusted devices or implement DHCP snooping and validation to prevent malicious hostname injection. 3. Monitor DHCP logs and router management UI for unusual or suspicious hostname entries indicative of attempted exploitation. 4. Enforce stronger authentication mechanisms on the router management interface, such as replacing basic authentication with more secure methods (e.g., HTTPS with client certificates or multi-factor authentication) if supported. 5. Regularly audit router firmware versions and configurations; engage with the vendor for patches or firmware updates addressing this vulnerability. 6. Educate network administrators about the risks of XSS in management interfaces and the importance of session protection. 7. Implement network access control (NAC) to limit unauthorized devices on the LAN. 8. If possible, replace vulnerable routers with models that have robust security features and proper input validation. 9. Use web application firewalls (WAF) or intrusion detection systems (IDS) tuned to detect suspicious activity related to DHCP hostname injection or management UI access.