CVE-2025-9119: Cross Site Scripting in Netis WF2419
A vulnerability was determined in Netis WF2419 1.2.29433. This vulnerability affects unknown code of the file /index.htm of the component Wireless Settings Page. This manipulation of the argument SSID with the input <img/src/onerror=prompt(8)> causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AI Analysis
Technical Summary
CVE-2025-9119 is a cross-site scripting (XSS) vulnerability identified in the Netis WF2419 wireless router, specifically version 1.2.29433. The vulnerability resides in the Wireless Settings Page, within the /index.htm file. It is triggered by manipulating the SSID parameter with malicious input, such as an HTML image tag containing an onerror JavaScript event handler (e.g., <img/src/onerror=prompt(8)>). This input is not properly sanitized, allowing an attacker to inject and execute arbitrary JavaScript code in the context of the router's web interface. The vulnerability is remotely exploitable without authentication, meaning an attacker can craft a malicious request to the router's web interface and execute scripts in the victim's browser session. The vendor, Netis, was notified but has not responded or released a patch. The CVSS v4.0 score is 4.8 (medium severity), reflecting the vulnerability's moderate impact and ease of exploitation. The exploit has been publicly disclosed, increasing the risk of exploitation, although no known active exploitation in the wild has been reported yet. This vulnerability could be leveraged by attackers to steal sensitive information such as session cookies, perform unauthorized actions on the router's interface, or pivot to other attacks within the local network. The lack of vendor response and patch availability increases the urgency for affected users to apply mitigations or consider alternative protective measures.
Potential Impact
For European organizations, this vulnerability poses a moderate risk, particularly for those using Netis WF2419 routers in their network infrastructure. Successful exploitation could lead to unauthorized access to router management interfaces, enabling attackers to alter network configurations, redirect traffic, or intercept sensitive communications. This could compromise confidentiality and integrity of internal communications and potentially disrupt availability if network settings are manipulated. Organizations with remote management enabled or exposed router interfaces are at higher risk. Additionally, since the vulnerability requires no authentication and can be triggered remotely, attackers could exploit it over the internet if the router's management interface is accessible externally. This risk is heightened in small and medium enterprises or home office environments where such devices are common and security controls may be limited. The public disclosure of the exploit code increases the likelihood of opportunistic attacks targeting vulnerable devices in Europe. The impact could extend to critical infrastructure sectors if these routers are deployed in operational environments without adequate segmentation or monitoring.
Mitigation Recommendations
Given the absence of an official patch from Netis, European organizations should implement the following specific mitigations: 1) Immediately restrict access to the router's web management interface by disabling remote management or limiting it to trusted IP addresses via firewall rules. 2) Change default credentials to strong, unique passwords to prevent unauthorized access. 3) If possible, disable the wireless settings page or any features that allow SSID modification via the web interface to reduce attack surface. 4) Monitor network traffic for suspicious requests targeting the router's interface, particularly those containing suspicious payloads in the SSID parameter. 5) Consider deploying network segmentation to isolate vulnerable routers from critical systems and sensitive data. 6) Replace affected Netis WF2419 devices with alternative routers from vendors with active security support, especially in environments where patching is not feasible. 7) Educate users and administrators about the risks of XSS and the importance of not interacting with suspicious router management pages or links. 8) Employ web application firewalls (WAFs) or intrusion prevention systems (IPS) that can detect and block XSS attack patterns targeting the router's interface.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium
CVE-2025-9119: Cross Site Scripting in Netis WF2419
Description
A vulnerability was determined in Netis WF2419 1.2.29433. This vulnerability affects unknown code of the file /index.htm of the component Wireless Settings Page. This manipulation of the argument SSID with the input <img/src/onerror=prompt(8)> causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AI-Powered Analysis
Technical Analysis
CVE-2025-9119 is a cross-site scripting (XSS) vulnerability identified in the Netis WF2419 wireless router, specifically version 1.2.29433. The vulnerability resides in the Wireless Settings Page, within the /index.htm file. It is triggered by manipulating the SSID parameter with malicious input, such as an HTML image tag containing an onerror JavaScript event handler (e.g., <img/src/onerror=prompt(8)>). This input is not properly sanitized, allowing an attacker to inject and execute arbitrary JavaScript code in the context of the router's web interface. The vulnerability is remotely exploitable without authentication, meaning an attacker can craft a malicious request to the router's web interface and execute scripts in the victim's browser session. The vendor, Netis, was notified but has not responded or released a patch. The CVSS v4.0 score is 4.8 (medium severity), reflecting the vulnerability's moderate impact and ease of exploitation. The exploit has been publicly disclosed, increasing the risk of exploitation, although no known active exploitation in the wild has been reported yet. This vulnerability could be leveraged by attackers to steal sensitive information such as session cookies, perform unauthorized actions on the router's interface, or pivot to other attacks within the local network. The lack of vendor response and patch availability increases the urgency for affected users to apply mitigations or consider alternative protective measures.
Potential Impact
For European organizations, this vulnerability poses a moderate risk, particularly for those using Netis WF2419 routers in their network infrastructure. Successful exploitation could lead to unauthorized access to router management interfaces, enabling attackers to alter network configurations, redirect traffic, or intercept sensitive communications. This could compromise confidentiality and integrity of internal communications and potentially disrupt availability if network settings are manipulated. Organizations with remote management enabled or exposed router interfaces are at higher risk. Additionally, since the vulnerability requires no authentication and can be triggered remotely, attackers could exploit it over the internet if the router's management interface is accessible externally. This risk is heightened in small and medium enterprises or home office environments where such devices are common and security controls may be limited. The public disclosure of the exploit code increases the likelihood of opportunistic attacks targeting vulnerable devices in Europe. The impact could extend to critical infrastructure sectors if these routers are deployed in operational environments without adequate segmentation or monitoring.
Mitigation Recommendations
Given the absence of an official patch from Netis, European organizations should implement the following specific mitigations: 1) Immediately restrict access to the router's web management interface by disabling remote management or limiting it to trusted IP addresses via firewall rules. 2) Change default credentials to strong, unique passwords to prevent unauthorized access. 3) If possible, disable the wireless settings page or any features that allow SSID modification via the web interface to reduce attack surface. 4) Monitor network traffic for suspicious requests targeting the router's interface, particularly those containing suspicious payloads in the SSID parameter. 5) Consider deploying network segmentation to isolate vulnerable routers from critical systems and sensitive data. 6) Replace affected Netis WF2419 devices with alternative routers from vendors with active security support, especially in environments where patching is not feasible. 7) Educate users and administrators about the risks of XSS and the importance of not interacting with suspicious router management pages or links. 8) Employ web application firewalls (WAFs) or intrusion prevention systems (IPS) that can detect and block XSS attack patterns targeting the router's interface.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-08-18T15:15:51.402Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68a3916fad5a09ad00b1ff21
Added to database: 8/18/2025, 8:47:43 PM
Last enriched: 8/18/2025, 9:02:46 PM
Last updated: 8/19/2025, 12:34:26 AM
Views: 3
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.