Skip to main content

Ericsson CVE-2025-40842

| EUVDEUVD-2025-208983 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 ERIC
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:16 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2025.Q3
EUVD ID Assigned
Mar 25, 2026 - 13:30 euvd
EUVD-2025-208983
Analysis Generated
Mar 25, 2026 - 13:30 vuln.today
CVE Published
Mar 25, 2026 - 13:10 nvd
HIGH 8.5

DescriptionCVE.org

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Scripting (XSS) vulnerability which, if exploited, can lead to unauthorized disclosure and modification of certain information.

AnalysisAI

A Cross-Site Scripting (XSS) vulnerability exists in Ericsson Indoor Connect 8855 versions prior to 2025.Q3, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). An attacker can inject malicious scripts into the web interface, potentially leading to unauthorized disclosure and modification of sensitive information. No CVSS score, EPSS data, or KEV status is currently available, and no public proof-of-concept has been disclosed, though the vulnerability has been formally documented by Ericsson's Product Security Incident Response Team (PSIRT).

Technical ContextAI

The vulnerability affects Ericsson Indoor Connect 8855 (CPE: cpe:2.3:a:ericsson:indoor_connect_8855:*:*:*:*:*:*:*:*), which is an enterprise wireless indoor positioning and network management system. The root cause is CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). This indicates the application fails to properly sanitize or escape user-supplied input before rendering it in web responses, allowing attackers to inject arbitrary JavaScript code that executes in the context of other users' browsers. The affected component is likely the web administration interface or a client-facing portal used for managing indoor connectivity services.

RemediationAI

Upgrade Ericsson Indoor Connect 8855 to version 2025.Q3 or later immediately, as this version addresses the XSS vulnerability. Consult Ericsson's official security bulletin at https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-40842 for patch availability and installation guidance. As interim mitigations, restrict network access to the Indoor Connect 8855 web administration interface to trusted IP ranges and authorized administrative subnets, deploy Web Application Firewalls (WAF) rules to detect and block common XSS payloads, implement Content Security Policy (CSP) headers if configurable, and consider placing the web interface behind a reverse proxy with request filtering until the patch can be applied.

CVE-2015-2166 MEDIUM POC
5.0 Apr 06

Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5

CVE-2018-9245 CRITICAL POC
9.8 Apr 22

The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that a

CVE-2018-10285 CRITICAL POC
9.8 Apr 22

The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Rated critical severity (CVSS

CVE-2021-43339 HIGH POC
8.8 Nov 03

In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file

CVE-2018-10286 HIGH POC
8.8 Apr 22

The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and th

CVE-2021-41390 HIGH POC
8.0 Sep 17

In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is v

CVE-2018-15138 HIGH POC
7.5 Aug 15

Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs. Rated high severity (CVSS

CVE-2019-7417 MEDIUM POC
6.1 Mar 21

XSS exists in Ericsson Active Library Explorer (ALEX) 14.3 in multiple parameters in the "/cgi-bin/alexserv" servlet, as

CVE-2015-2167 MEDIUM POC
5.8 Apr 06

Open redirect vulnerability in the 3PI Manager in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 all

CVE-2021-41391 MEDIUM POC
5.4 Sep 17

In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vul

CVE-2020-29145 MEDIUM POC
5.4 Nov 27

In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS v

CVE-2020-29144 MEDIUM POC
5.4 Nov 27

In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via

Share

CVE-2025-40842 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy