CVE-2025-64054
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk29th percentile - higher than 29% of all known CVEs
Summary
A reflected Cross Site Scripting (XSS) vulnerability in Fanvil x210 devices version 2.12.20 allows attackers to cause denial of service or potentially execute arbitrary commands via a crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint.
Risk Assessment
The risk for the organization includes remote execution of JavaScript in the victim's browser context, potentially leading to session theft, redirection to malicious sites, or further attacks on the infrastructure.
Recommendation
It is recommended to immediately update the firmware of Fanvil x210 devices to the latest available version and restrict access to the management interface to trusted networks only.
Original NVD description (English source)
A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint.

