CVE-2025-13650 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-13650?

CVE-2025-13650 has a CVSS score of 6.1 (MEDIUM). This is a cross-site scripting (XSS) vulnerability in Microcom's ZeusWeb application version 6.1.31. An attacker can inject malicious JavaScript into the 'Surname' field during account creation, potentially compromising user sessions or stealing credentials. Any organization using the vulnerable ZeusWeb version is affected.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Microcom's ZeusWeb application version 6.1.31. An attacker can inject malicious JavaScript into the 'Surname' field during account creation, potentially compromising user sessions or stealing credentials. Any organization using the vulnerable ZeusWeb version is affected.

💻 Affected Systems

Products:

Microcom ZeusWeb

Versions: 6.1.31

Operating Systems: Unknown

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web interface accessible via HTTPS on port 4040. No registration is required to exploit it.

📦 What is this software?

Zeusweb by Microcom

View all CVEs affecting Zeusweb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals administrator credentials, takes full control of the ZeusWeb application, and potentially accesses sensitive customer data or infrastructure.

🟠

Likely Case

Attacker steals session cookies from legitimate users, hijacks their accounts, and performs unauthorized actions within the application.

🟢

If Mitigated

With proper input validation and output encoding, the attack would fail, and no user data would be compromised.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit with basic XSS payloads. No authentication is required, making it easily weaponizable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.microcom360.com/servicio-zeus-web/

Restart Required: No

Instructions:

Contact Microcom for an official patch or upgrade instructions. Monitor their website for security updates.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and sanitization of the 'Surname' parameter to strip or encode malicious characters.

Web Application Firewall (WAF) Rules

all

Deploy a WAF with rules to block XSS payloads targeting the 'Surname' parameter.

🧯 If You Can't Patch

Restrict access to the ZeusWeb application to trusted IP addresses only using network ACLs or firewalls.
Disable the 'Create Account' functionality temporarily if not essential, or implement additional client-side validation as a temporary measure.

🔍 How to Verify

Check if Vulnerable:

Test by injecting a basic XSS payload (e.g., <script>alert('XSS')</script>) into the 'Surname' field during account creation and check if it executes.

Check Version:

Check the application interface or configuration files for the version number, typically displayed in the web UI or footer.

Verify Fix Applied:

After applying fixes, repeat the XSS test to ensure the payload is sanitized or blocked and does not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual strings containing script tags or JavaScript in 'Surname' parameter logs
Multiple failed account creation attempts with suspicious input

Network Indicators:

HTTP POST requests to the account creation endpoint with encoded script tags in parameters

SIEM Query:

source="web_logs" AND (url="/index.html?zeus6=true" AND method="POST" AND (param="Surname" AND value CONTAINS "<script>" OR value CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-13650

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (14.3th percentile)

Published: February 11, 2026

Last Updated: March 16, 2026

🔗 References

https://www.hackrtu.com/blog/CNA-CVE-2025-13650/ Third Party Advisory
https://www.hackrtu.com/blog/CNA-HRTU-0001/ Third Party Advisory
https://www.microcom360.com/servicio-zeus-web/ Product
https://zeus.microcom.es:4040/ Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13650, you might also want to check these: