CVE-2025-13589
📋 TL;DR
FMS software developed by Otsuka Information Technology contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers through phishing links. This affects all users accessing vulnerable FMS instances, potentially compromising their sessions and data.
💻 Affected Systems
- FMS (developed by Otsuka Information Technology)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal user credentials, session tokens, or sensitive data, perform actions on behalf of users, and potentially pivot to internal systems.
Likely Case
Attackers use phishing emails to trick users into clicking malicious links, leading to session hijacking, credential theft, or malware delivery.
If Mitigated
With proper web application firewalls and user awareness training, impact is limited to isolated incidents with minimal data exposure.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly weaponized in phishing campaigns. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available references
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-10521-abdc1-2.html
Restart Required: Yes
Instructions:
1. Contact Otsuka Information Technology for patch details. 2. Apply the security update to all FMS instances. 3. Restart the FMS application/services. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious payloads
Content Security Policy (CSP)
allImplement strict CSP headers to restrict script execution sources
Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Implement network segmentation to isolate FMS instances from critical systems
- Enforce user awareness training about phishing risks and suspicious links
🔍 How to Verify
Check if Vulnerable:
Test for XSS by injecting basic payloads like <script>alert('XSS')</script> into URL parametersCheck Version:
Check FMS version through application interface or configuration filesVerify Fix Applied:
Retest XSS payloads after patching to confirm they are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual long URL parameters with script tags
- Multiple failed login attempts from same IP
- User reports of suspicious redirects
Network Indicators:
- HTTP requests containing script tags in query parameters
- Outbound connections to unknown domains after FMS access
SIEM Query:
source="fms_logs" AND (url="*<script>*" OR url="*javascript:*")