CVE-2026-30695 is a Cross-Site Scripting (XSS) vulnerability identified in the web-based configuration interface of multiple Zucchetti Axess access control devices, including models XA4, X3/X3BIO, X4, X7, and XIO/i-door/i-door+. The vulnerability is specifically located in the /file_manager.cgi endpoint, where the dirBrowse parameter fails to properly sanitize user-supplied input. This improper input validation allows an attacker to inject malicious scripts that execute within the context of an authenticated user's browser session. The attack vector typically requires the attacker to lure an authorized user to a crafted URL or exploit the interface directly if accessible. Successful exploitation could lead to session hijacking, unauthorized configuration changes, or theft of sensitive information such as authentication tokens or device configuration data. These devices are critical components in physical security infrastructure, controlling access to facilities and sensitive areas. Although no exploits have been reported in the wild and no CVSS score is assigned yet, the vulnerability is significant due to the potential impact on both physical and cybersecurity. The lack of a patch or mitigation details indicates that organizations should implement compensating controls such as network segmentation, strict access controls, and monitoring until a vendor patch is available. The vulnerability underscores the importance of secure coding practices, especially input validation in embedded device web interfaces.

The impact of CVE-2026-30695 can be substantial for organizations relying on Zucchetti Axess access control devices. Exploitation could allow attackers to execute arbitrary scripts in the context of an authenticated user, potentially leading to session hijacking, unauthorized access to the device management interface, and manipulation of physical access controls. This could result in unauthorized physical entry, disruption of security operations, and exposure of sensitive configuration data. The compromise of access control systems can have cascading effects on overall organizational security, including enabling further network intrusions or physical theft. Given these devices are often deployed in critical infrastructure, government facilities, and large enterprises, the threat extends beyond IT systems to physical security domains. The absence of known exploits reduces immediate risk, but the vulnerability remains a significant concern due to the critical nature of the affected systems and the ease of exploiting XSS flaws once access is gained. Organizations could face reputational damage, regulatory penalties, and operational disruptions if this vulnerability is exploited.

To mitigate CVE-2026-30695, organizations should implement the following specific measures: 1) Restrict access to the web-based configuration interface of Zucchetti Axess devices to trusted networks and users only, using network segmentation and firewall rules. 2) Enforce strong authentication mechanisms and consider multi-factor authentication for device management interfaces to reduce the risk of unauthorized access. 3) Monitor access logs and network traffic for unusual activity targeting the /file_manager.cgi endpoint or attempts to inject scripts via the dirBrowse parameter. 4) Until a vendor patch is available, consider disabling or limiting the use of the vulnerable file manager functionality if feasible. 5) Engage with Zucchetti to obtain security updates or patches as soon as they are released and apply them promptly. 6) Conduct security awareness training for administrators on the risks of phishing or social engineering that could lead to exploitation of XSS vulnerabilities. 7) Implement Content Security Policy (CSP) headers if supported by the device to reduce the impact of XSS attacks. These targeted actions go beyond generic advice by focusing on access control, monitoring, and vendor engagement specific to the affected devices and vulnerability.