CVE-2025-9158 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 that affects the Best Practical Request Tracker (RT) software, specifically versions 5.0.4 through 5.0.8 and 6.0.0 through 6.0.1. The vulnerability arises from improper neutralization of input during web page generation in the calendar invitation parsing feature. When an attacker sends a crafted email containing malicious HTML/JavaScript code embedded in calendar invitations, the software fails to sanitize this input before displaying it in the ticket interface. As a result, the malicious script executes in the browser context of any user who views the affected ticket, potentially compromising their session, stealing cookies, or performing actions on behalf of the user. The vulnerability does not require authentication to exploit, but the victim must interact by viewing the ticket containing the malicious invitation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and low impact on confidentiality and integrity (VC:L, VI:L) with no impact on availability. No patches or exploit code are currently publicly available, but the flaw is documented and should be addressed promptly. The vulnerability is particularly concerning for organizations relying on RT for ticket and calendar management, as it could be leveraged for targeted phishing or lateral movement within internal networks.

For European organizations, the impact of CVE-2025-9158 can be significant, especially for those using Request Tracker as a core tool for IT service management, helpdesk operations, or internal ticketing workflows. Successful exploitation could lead to session hijacking, unauthorized access to sensitive ticket data, or execution of malicious actions under the guise of legitimate users. This may result in data breaches, disruption of service management processes, and potential compliance violations under GDPR if personal or sensitive data is exposed. The vulnerability's exploitation could also facilitate further attacks such as privilege escalation or lateral movement within corporate networks. Given the medium CVSS score and the requirement for user interaction, the threat is moderate but should not be underestimated, particularly in sectors with high reliance on RT or where attackers may craft targeted spear-phishing emails embedding malicious calendar invites. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks.

European organizations should immediately identify and inventory all instances of Best Practical Request Tracker in use, focusing on versions 5.0.4 through 5.0.8 and 6.0.0 through 6.0.1. Since no official patches are currently linked, organizations should apply the following mitigations: 1) Implement strict email filtering and scanning to detect and quarantine suspicious calendar invitations or emails containing embedded HTML/JavaScript. 2) Restrict or disable the calendar invitation parsing feature if feasible until a patch is available. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the RT web interface. 4) Educate users to be cautious when interacting with calendar invites or tickets from untrusted sources. 5) Monitor logs for unusual activity or repeated viewing of suspicious tickets. 6) Engage with Best Practical for updates and apply patches promptly once released. 7) Consider network segmentation to isolate RT servers and limit exposure. These targeted mitigations go beyond generic advice by focusing on the specific attack vector and software behavior.