Skip to main content

KeeneticOS CVE-2025-56008

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-10-23 cve@mitre.org
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 20:33 vuln.today

DescriptionCVE.org

Cross site scripting (XSS) vulnerability in KeeneticOS before 4.3 at "Wireless ISP" page allows attackers located near to the router to takeover the device via adding additional users with full permissions.

AnalysisAI

Stored cross-site scripting on the KeeneticOS 'Wireless ISP' page enables a physically proximate attacker to compromise a Keenetic router by injecting a malicious payload-likely via a crafted nearby wireless network name (SSID)-that executes in an authenticated administrator's browser session. Successful exploitation allows the attacker to create additional users with full administrative permissions, resulting in complete device takeover. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS probability stands at 0.03%, indicating limited current exploitation activity.

Technical ContextAI

KeeneticOS is the proprietary firmware powering Keenetic routers (CPE: cpe:2.3:o:keenetic:keeneticos:*:*:*:*:*:*:*:*). The 'Wireless ISP' page is a router administration feature that scans and displays nearby wireless networks for use as an upstream Internet source. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that data from an external source-almost certainly a malicious SSID broadcast by an attacker's nearby access point-is rendered unsanitized in the web administration interface. Because the router reflects externally-sourced wireless scan data without escaping, the attacker controls the injected content without needing any credentials on the device itself. The scope change (S:C in the CVSS vector) correctly models that the injected script executes within the victim's browser session, which holds authenticated access to the router management plane.

RemediationAI

Upgrade KeeneticOS to version 4.3 or later, which addresses this vulnerability per the Keenetic security advisory at https://keenetic.com/global/security#october-2025-web-api-vulnerabilities. Until patching is possible, a concrete compensating control is to disable or avoid using the 'Wireless ISP' (WISP) feature entirely-if the router does not use a wireless upstream connection, this page and its scan data will not be rendered, eliminating the injection surface; note this mitigation removes WISP functionality. Additionally, restricting access to the router's web administration interface to trusted wired LAN segments or a dedicated management VLAN reduces the likelihood of an administrator browsing the vulnerable page while an attacker's malicious AP is in range. Administrators should also audit existing user accounts for any unauthorized accounts with elevated privileges as an indicator of prior compromise.

Share

CVE-2025-56008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy