CVE-2025-25613 – The FS Inc S3150-8T2F switch transmits administ... (How to Fix)

Q: What is the severity of CVE-2025-25613?

CVE-2025-25613 has a CVSS score of 7.5 (HIGH). The FS Inc S3150-8T2F switch transmits administrative credentials in cleartext via base64-encoded cookies during every POST request to the web interface. This allows attackers with network access to intercept and decode administrator usernames and passwords. All organizations using affected versions of this switch are vulnerable.

📋 TL;DR

The FS Inc S3150-8T2F switch transmits administrative credentials in cleartext via base64-encoded cookies during every POST request to the web interface. This allows attackers with network access to intercept and decode administrator usernames and passwords. All organizations using affected versions of this switch are vulnerable.

💻 Affected Systems

Products:

FS Inc S3150-8T2F 8-Port Gigabit Ethernet L2+ Switch

Versions: All versions before 2.2.0D Build 135103

Operating Systems: Embedded switch firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the web-based administrative application of the switch firmware.

📦 What is this software?

S3150 8t2f Firmware by Fs

View all CVEs affecting S3150 8t2f Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full network compromise where attackers gain administrative access to the switch, enabling them to reconfigure network settings, intercept traffic, or use the switch as a pivot point to attack other systems.

🟠

Likely Case

Attackers capture administrative credentials and gain unauthorized access to the switch's management interface, potentially disrupting network operations or conducting further reconnaissance.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to potential credential exposure without lateral movement opportunities.

🌐 Internet-Facing: HIGH - If the management interface is exposed to the internet, attackers can easily intercept credentials and gain administrative access.

🏢 Internal Only: MEDIUM - Attackers on the local network can still intercept credentials, but requires initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access to intercept HTTP traffic. Attackers can use tools like Wireshark or Burp Suite to capture and decode base64 credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.0D Build 135103 or later

Vendor Advisory: http://fs.com

Restart Required: Yes

Instructions:

1. Download firmware version 2.2.0D Build 135103 or later from FS Inc website. 2. Log into switch web interface. 3. Navigate to System > Firmware Upgrade. 4. Upload the new firmware file. 5. Reboot the switch after upgrade completes.

🔧 Temporary Workarounds

Disable HTTP web interface

all

Disable the vulnerable HTTP web interface and use HTTPS or console/SSH management only

configure terminal
no ip http server
ip http secure-server
end
write memory

Restrict management interface access

all

Apply access control lists to restrict access to the management interface

configure terminal
access-list 10 permit [trusted_network]
interface vlan 1
ip access-group 10 in
end
write memory

🧯 If You Can't Patch

Isolate switch management interface on a dedicated VLAN with strict access controls
Implement network monitoring to detect credential interception attempts and unauthorized access

🔍 How to Verify

Check if Vulnerable:

Capture network traffic to the switch's web interface during login or any POST request, then decode base64 values in cookie headers to check for credentials.

Check Version:

show version (via CLI) or check System Information in web interface

Verify Fix Applied:

After patching, verify that cookies no longer contain base64-encoded credentials and that HTTPS is properly implemented.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login from unusual IP
Administrative configuration changes from unexpected sources

Network Indicators:

Unencrypted HTTP traffic to switch management interface containing base64 strings in cookies
Traffic interception tools like Wireshark or tcpdump targeting switch IP

SIEM Query:

source_ip="switch_ip" AND (http.cookie CONTAINS "base64" OR http.cookie CONTAINS "Authorization=")

📊 Metadata

CVE ID: CVE-2025-25613

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-312

EPSS Score: 0.02% exploit probability (5.6th percentile)

Published: November 20, 2025

Last Updated: January 15, 2026

🔗 References

http://fs.com Product
http://s3150-8t2f.com Broken Link
https://github.com/SwiftSecur/S3150-8T2F-FS.com-Research/wiki Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25613, you might also want to check these: