CVE-2025-22996 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in the Linksys E5600 router's spf_table_content component allows attackers to inject malicious scripts into the desc parameter. When exploited, this enables execution of arbitrary web scripts or HTML in users' browsers. This affects Linksys E5600 router users running vulnerable firmware version 1.1.0.26.

💻 Affected Systems

Products:

Linksys E5600 Router

Versions: Ver. 1.1.0.26

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the spf_table_content component specifically; requires access to the router's web interface.

📦 What is this software?

E5600 Firmware by Linksys

View all CVEs affecting E5600 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal router admin credentials, redirect users to malicious sites, or perform actions as authenticated users, potentially leading to full router compromise.

🟠

Likely Case

Attackers with network access could inject malicious scripts that execute when legitimate users view affected pages, potentially stealing session cookies or performing limited unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability would be prevented, and impact would be limited to failed injection attempts.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to the router's web interface; public proof-of-concept exists in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Linksys support site for firmware updates
2. Download latest firmware if available
3. Upload via router web interface
4. Reboot router after installation

🔧 Temporary Workarounds

Input Validation Filter

all

Implement client-side and server-side input validation for the desc parameter

Not applicable - requires code changes

Output Encoding

all

Apply proper HTML encoding to user-controlled data before rendering

Not applicable - requires code changes

🧯 If You Can't Patch

Restrict access to router web interface to trusted networks only
Implement network segmentation to isolate router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under Administration > Firmware Upgrade

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Verify firmware version is newer than 1.1.0.26 and test desc parameter with XSS payloads

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to spf_table_content with script tags in desc parameter
Multiple failed authentication attempts followed by successful login

Network Indicators:

HTTP requests containing script tags or JavaScript in URL parameters
Unusual outbound connections from router after web interface access

SIEM Query:

http.method:POST AND http.uri:"spf_table_content" AND (http.param.desc:*script* OR http.param.desc:*javascript*)

📊 Metadata

CVE ID: CVE-2025-22996

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (18.1th percentile)

Published: January 15, 2025

Last Updated: June 11, 2025

🔗 References

https://github.com/SunnyYANGyaya/firmcrosser/blob/main/Linksys/E5600-2.md Broken Link,Exploit
https://github.com/SunnyYANGyaya/firmcrosser/blob/main/Linksys/E5600-2.md Broken Link,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22996, you might also want to check these: