How to fix EUVD-2025-208983?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Verify anti-CSRF tokens and content security policies are enforced.

Is Ericsson affected by EUVD-2025-208983?

Organizations using Ericsson Indoor Connect 8855 versions prior to 2025.Q3 face significant risk from CVE-2025-40842, a cross-site scripting vulnerability rated CVSS 8.5.

EUVD-2025-208983

| CVE-2025-40842 HIGH

2026-03-25 ERIC

8.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

EUVD ID Assigned

Mar 25, 2026 - 13:30 euvd

EUVD-2025-208983

Analysis Generated

Mar 25, 2026 - 13:30 vuln.today

CVE Published

Mar 25, 2026 - 13:10 nvd

HIGH 8.5

Description

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Scripting (XSS) vulnerability which, if exploited, can lead to unauthorized disclosure and modification of certain information.

Analysis

A Cross-Site Scripting (XSS) vulnerability exists in Ericsson Indoor Connect 8855 versions prior to 2025.Q3, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). An attacker can inject malicious scripts into the web interface, potentially leading to unauthorized disclosure and modification of sensitive information. No CVSS score, EPSS data, or KEV status is currently available, and no public proof-of-concept has been disclosed, though the vulnerability has been formally documented by Ericsson's Product Security Incident Response Team (PSIRT).

Technical Context

The vulnerability affects Ericsson Indoor Connect 8855 (CPE: cpe:2.3:a:ericsson:indoor_connect_8855:*:*:*:*:*:*:*:*), which is an enterprise wireless indoor positioning and network management system. The root cause is CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). This indicates the application fails to properly sanitize or escape user-supplied input before rendering it in web responses, allowing attackers to inject arbitrary JavaScript code that executes in the context of other users' browsers. The affected component is likely the web administration interface or a client-facing portal used for managing indoor connectivity services.

Affected Products

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 are affected, as confirmed via CPE cpe:2.3:a:ericsson:indoor_connect_8855:*:*:*:*:*:*:*:*. Organizations running Indoor Connect 8855 releases from 2025.Q2 and earlier versions are in scope. The vulnerability has been formally documented by Ericsson PSIRT in their March 2026 security bulletin, available at https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026 and https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-40842.

Remediation

Upgrade Ericsson Indoor Connect 8855 to version 2025.Q3 or later immediately, as this version addresses the XSS vulnerability. Consult Ericsson's official security bulletin at https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-40842 for patch availability and installation guidance. As interim mitigations, restrict network access to the Indoor Connect 8855 web administration interface to trusted IP ranges and authorized administrative subnets, deploy Web Application Firewalls (WAF) rules to detect and block common XSS payloads, implement Content Security Policy (CSP) headers if configurable, and consider placing the web interface behind a reverse proxy with request filtering until the patch can be applied.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +42

POC: 0

EUVD-2025-208983 vulnerability details – vuln.today

Back

EUVD-2025-208983

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-208983

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code