CVE-2026-29513 is a stored cross-site scripting (XSS) vulnerability identified in the firmware of Shenzhen Hereta Technology Co., Ltd.'s ETH-IMC408M device, specifically in firmware version 1.0.15 and prior. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where the Device Location field accepts user input without adequate sanitization. An authenticated attacker with access to the device's management interface can inject arbitrary JavaScript code into this field. When legitimate users access the System Status interface, the malicious script executes in their browsers, potentially allowing session hijacking, credential theft, or unauthorized actions within the web interface context. The vulnerability requires the attacker to have at least low-level privileges (authenticated access) but does not require user interaction beyond viewing the status page. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and user interaction required (UI:P), with limited scope and impact confined to confidentiality and integrity. No patches or official fixes are currently available, and no known exploits have been reported in the wild. This vulnerability highlights the risks of insufficient input validation in embedded device web interfaces, which can be leveraged to compromise device management and network security.

The primary impact of this vulnerability is the potential compromise of confidentiality and integrity for users interacting with the affected device's web interface. An attacker exploiting this XSS flaw can execute arbitrary scripts in the context of legitimate users' browsers, leading to session hijacking, theft of authentication tokens, or manipulation of device settings if combined with other vulnerabilities. This can result in unauthorized control over the device or leakage of sensitive network information. Since the device is likely used in industrial or network infrastructure environments, exploitation could disrupt operational technology systems or provide a foothold for further network intrusion. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with weak credential management or insider threats. The absence of known exploits reduces immediate risk, but the medium severity score and the nature of stored XSS vulnerabilities warrant prompt mitigation to prevent potential targeted attacks.

Organizations should prioritize upgrading the ETH-IMC408M firmware to a version that addresses this vulnerability once available from Shenzhen Hereta Technology. In the absence of an official patch, administrators should restrict access to the device's management interface to trusted personnel and networks, employing strong authentication mechanisms and network segmentation. Implementing web application firewalls (WAFs) that can detect and block malicious script injection attempts may provide interim protection. Additionally, monitoring device logs and network traffic for unusual activity related to the System Status interface can help detect exploitation attempts. Educating users to avoid unnecessary access to the device's web interface and enforcing the principle of least privilege for device management accounts will further reduce risk. Finally, vendors should be engaged to expedite patch development and provide guidance on secure configuration.