CVE-2025-63354 – This stored cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-63354?

CVE-2025-63354 has a CVSS score of 4.8 (MEDIUM). This stored cross-site scripting (XSS) vulnerability in Hitron HI3120 routers allows attackers to inject malicious JavaScript via the Parental Control filter creation interface. When exploited, this enables session hijacking, credential theft, or device compromise for users accessing the router's web interface. All users of affected Hitron HI3120 routers with the vulnerable firmware are at risk.

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in Hitron HI3120 routers allows attackers to inject malicious JavaScript via the Parental Control filter creation interface. When exploited, this enables session hijacking, credential theft, or device compromise for users accessing the router's web interface. All users of affected Hitron HI3120 routers with the vulnerable firmware are at risk.

💻 Affected Systems

Products:

Hitron HI3120

Versions: v7.2.4.5.2b1

Operating Systems: Embedded router OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to router web interface; Parental Control feature must be enabled/accessible.

📦 What is this software?

Hi3120 Firmware by Hitrontech

View all CVEs affecting Hi3120 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to change DNS settings, intercept all network traffic, install persistent malware, or brick the device.

🟠

Likely Case

Session hijacking of router admin panel leading to network configuration changes, credential theft, or redirection to malicious sites.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted web interface access and users don't access admin panel.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication to router admin interface; stored XSS payload persists until cleared.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Monitor Hitron security advisories for firmware updates addressing CVE-2025-63354.

🔧 Temporary Workarounds

Disable Parental Control Feature

all

Turn off Parental Control functionality to prevent exploitation via this attack vector.

Access router web interface > Parental Control > Disable

Restrict Web Interface Access

all

Configure firewall rules to limit access to router admin interface to trusted IPs only.

🧯 If You Can't Patch

Isolate router on separate VLAN with no access to critical internal resources
Implement strict input validation at network perimeter for router management traffic

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: Status > Device Info > Firmware Version

Check Version:

curl -s http://router-ip/cgi-bin/status | grep Firmware

Verify Fix Applied:

Test XSS payload injection in Parental Control filter creation; successful sanitization indicates fix.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript strings in Parental Control filter names
Multiple failed login attempts followed by filter creation

Network Indicators:

HTTP POST requests to /cgi-bin/parental with JavaScript payloads
Unusual outbound connections from router after admin login

SIEM Query:

source="router.log" AND ("parental" AND ("script" OR "javascript" OR "onerror"))

📊 Metadata

CVE ID: CVE-2025-63354

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (4th percentile)

Published: February 9, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/kakarotossj3/CVEs/blob/main/Hitron/XSS Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63354, you might also want to check these: