Login Sign Up

CVE-2025-65228

3.5 LOW
Cross-Site Scripting

📋 TL;DR

A stored cross-site scripting vulnerability in the R.V.R. Elettronica TLK302T telemetry controller web management interface allows attackers to inject malicious scripts that execute when users view affected pages. This affects organizations using the TLK302T controller with vulnerable firmware. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:
  • R.V.R. Elettronica TLK302T telemetry controller
Versions: Firmware 1.5.1799
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the web management interface component of the device.

📦 What is this software?

Tlk302t Firmware by Rvr

View all CVEs affecting Tlk302t Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the management interface leading to device reconfiguration, data theft, or use as a pivot point into the industrial network.

🟠

Likely Case

Session hijacking allowing unauthorized access to the management interface, potentially leading to device misconfiguration or telemetry data manipulation.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to the management interface.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the management interface, which typically requires authentication. The GitHub reference contains technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.rvr.it/en/products/components/telemetry-units-system/tlk300-series/tlk302t/

Restart Required: No

Instructions:

Check vendor website for firmware updates. If available, download and apply following vendor instructions.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate the TLK302T management interface from untrusted networks

Access Control Lists

all

Restrict access to the management interface to authorized IP addresses only

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the device from untrusted networks
  • Use a web application firewall (WAF) with XSS protection rules in front of the management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or console. If version is 1.5.1799, device is vulnerable.

Check Version:

Check via web interface at System > Firmware or similar menu

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.5.1799

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to management interface with script tags
  • Multiple failed login attempts followed by successful login

Network Indicators:

  • HTTP requests containing script tags or JavaScript payloads to the management interface

SIEM Query:

source="tlk302t_logs" AND (http_request CONTAINS "<script>" OR http_request CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-65228
CVSS v3 Score: 3.5 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.05% exploit probability (14.1th percentile)
Published: December 8, 2025
Last Updated: December 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65228, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)