CVE-2025-65289 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Mercury MR816v2 router's management UI (firmware version 4.8.7 Build 110427 Rel 36550n). The vulnerability allows a remote attacker on the local area network (LAN) to inject arbitrary JavaScript code by submitting a malicious hostname. This hostname is stored persistently and later rendered in the router's management interface, for example, when DHCP release or renew actions cause the interface to display the stored hostname. Because the management UI uses weak or basic authentication and lacks proper session isolation and protection, the injected script executes in the context of an administrator's browser session. This enables the attacker to steal the administrator's session tokens and perform unauthorized administrative actions, potentially leading to full router compromise. The attack vector requires the attacker to be on the LAN, but no additional user interaction is needed beyond the administrator accessing the management interface. The vulnerability is significant because routers are critical network infrastructure devices, and compromise can lead to network-wide impacts including traffic interception, configuration changes, or persistent backdoors. No official patch or CVSS score is currently available, and no known exploits in the wild have been reported as of publication.

For European organizations, this vulnerability could have severe consequences, especially for enterprises, government agencies, and critical infrastructure operators relying on Mercury MR816v2 routers. Successful exploitation can lead to unauthorized administrative control over the router, enabling attackers to manipulate network configurations, intercept or redirect traffic, and deploy persistent malware. This compromises confidentiality, integrity, and availability of network communications. Given the weak authentication and session management, the risk of session hijacking is high. Organizations with less mature network segmentation or those exposing management interfaces to broader LAN segments are particularly vulnerable. The impact extends beyond the affected device to the entire network, potentially facilitating lateral movement and further compromise. The lack of a patch increases exposure time, and the requirement for LAN access means internal threat actors or compromised devices pose a significant risk.

1. Immediately restrict access to the router management interface to trusted and minimal LAN segments using VLANs or firewall rules. 2. Replace or supplement weak/basic authentication with stronger methods such as multi-factor authentication or at least complex passwords. 3. Monitor DHCP hostnames and network logs for suspicious or unexpected entries that could indicate attempted injection. 4. Disable or limit DHCP release/renew operations that trigger hostname display if possible. 5. Implement network segmentation to isolate management interfaces from general user networks. 6. Regularly audit router firmware versions and apply vendor patches or updates as soon as they become available. 7. Consider deploying web application firewalls (WAFs) or intrusion detection systems (IDS) that can detect and block XSS payloads on internal networks. 8. Educate network administrators about the risks of accessing management interfaces from potentially compromised machines. 9. If feasible, replace affected routers with models known to have stronger security postures.