CVE-2025-57202 – A stored cross-site scripting vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-57202?

CVE-2025-57202 has a CVSS score of 6.1 (MEDIUM). A stored cross-site scripting vulnerability in AVTECH SECURITY Corporation's DGM1104 device allows attackers to inject malicious scripts into the username field via the PwdGrp.cgi endpoint. When other users view the affected page, their browsers execute the injected scripts, potentially compromising their sessions or devices. This affects all users of vulnerable DGM1104 devices with the vulnerable firmware.

📋 TL;DR

A stored cross-site scripting vulnerability in AVTECH SECURITY Corporation's DGM1104 device allows attackers to inject malicious scripts into the username field via the PwdGrp.cgi endpoint. When other users view the affected page, their browsers execute the injected scripts, potentially compromising their sessions or devices. This affects all users of vulnerable DGM1104 devices with the vulnerable firmware.

💻 Affected Systems

Products:

AVTECH SECURITY Corporation DGM1104

Versions: FullImg-1015-1004-1006-1003

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web interface's user management functionality. All devices running the specified firmware version are vulnerable.

📦 What is this software?

Dgm1104 Firmware by Avtech

View all CVEs affecting Dgm1104 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to full device compromise.

🟠

Likely Case

Attackers inject malicious scripts that steal session cookies or credentials when legitimate users access the affected interface, leading to unauthorized access to the device management interface.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payloads would be rendered harmless as plain text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to access the PwdGrp.cgi endpoint. The GitHub repository contains proof-of-concept code demonstrating the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check AVTECH SECURITY Corporation's website for security advisories and firmware updates. If available, download and apply the latest firmware patch following vendor instructions.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to reject or sanitize special characters in username fields before storage.

Output Encoding

all

Apply proper HTML encoding to all user-controlled data before rendering in web pages.

🧯 If You Can't Patch

Isolate the DGM1104 device on a separate network segment with restricted access
Implement a web application firewall (WAF) with XSS protection rules in front of the device

🔍 How to Verify

Check if Vulnerable:

Attempt to inject a simple XSS payload like <script>alert('test')</script> into the username field via the PwdGrp.cgi endpoint and check if it executes when viewing the page.

Check Version:

Check the device web interface's system information page or use SSH/Telnet to run system version commands if available.

Verify Fix Applied:

After applying mitigations, test the same XSS payload injection to confirm it's properly sanitized or rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual username entries containing script tags or JavaScript code in authentication logs
Multiple failed login attempts followed by successful access to user management functions

Network Indicators:

HTTP POST requests to PwdGrp.cgi with suspicious payloads in parameters
Unusual outbound connections from the DGM1104 device following user interface access

SIEM Query:

source="dgm1104" AND (uri="/cgi-bin/PwdGrp.cgi" AND (param="username" CONTAINS "<script>" OR param="username" CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-57202

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (15.4th percentile)

Published: December 3, 2025

Last Updated: December 18, 2025

🔗 References

http://avtech.com Not Applicable
http://dmg1104.com Broken Link
https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57202 Third Party Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57202, you might also want to check these: