Neterbit NW-431F Router CVE-2025-67448
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
The SMS module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to stored XSS. The application does not properly sanitize user input in SMS messages before storing and displaying them. An attacker can send an SMS containing a malicious XSS payload, which will be executed in the context of the victim's browser when the message is viewed.
AnalysisAI
Stored cross-site scripting in the SMS module of Neterbit NW-431F Router firmware 20241014-IR03 and earlier allows remote attackers to inject JavaScript payloads via inbound SMS messages, which execute in the administrator's browser when the SMS interface is viewed. No public exploit identified at time of analysis, though a researcher repository on GitHub documents the issue. The cellular-router form factor makes the SMS vector particularly notable because injection can originate from the mobile network rather than the local LAN.
Technical ContextAI
The Neterbit NW-431F is a 4G/LTE cellular router that exposes received SMS messages through its administrative web interface. The vulnerability stems from missing output encoding (and likely missing input sanitization) when SMS message bodies are stored and later rendered in HTML context - a classic Stored XSS pattern (CWE-79, not explicitly assigned in the record). Because the SMS body is attacker-controllable over the cellular bearer and is persisted server-side on the device, any payload survives across sessions and is delivered to every administrator who opens the SMS view. CPE data is uninformative (cpe:2.3:a:n/a:n/a) - MITRE has not yet produced a structured CPE entry for the affected device, so version matching depends on the textual firmware tag '20241014-IR03 and before'.
RemediationAI
No vendor-released patch identified at time of analysis - the references list only the vendor homepage (https://neterbit.com/) and a researcher disclosure repository (https://github.com/fun-beep/CVEs/tree/main/CVE-2025-67448), with no fixed firmware version cited. Operators should contact Neterbit support to obtain a fixed firmware build superseding 20241014-IR03 and subscribe to vendor advisories. Until a patch is available, restrict access to the router's web administration interface to trusted management VLANs or VPN-only access (this does not block the SMS ingress vector but contains XSS impact to authorized admins), disable or unbind the SIM from the SMS-capable APN if SMS functionality is not required for operations (trade-off: loses any legitimate SMS alerting/remote-control features the device offers), use a dedicated browser profile with no saved router credentials when accessing the SMS view to reduce session-theft impact, and consider deploying a reverse proxy with a strict Content-Security-Policy header in front of the admin UI to neutralize injected inline script (trade-off: may break legitimate dynamic admin UI features).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today