CVE-2025-65289 – A stored XSS vulnerability in Mercury MR816v2 r... (How to Fix)

Q: What is the severity of CVE-2025-65289?

CVE-2025-65289 has a CVSS score of 6.1 (MEDIUM). A stored XSS vulnerability in Mercury MR816v2 routers allows attackers on the local network to inject malicious JavaScript into the router's management interface via hostname submission. This can lead to session hijacking of administrator accounts. Only users of this specific router model with the vulnerable firmware are affected.

📋 TL;DR

A stored XSS vulnerability in Mercury MR816v2 routers allows attackers on the local network to inject malicious JavaScript into the router's management interface via hostname submission. This can lead to session hijacking of administrator accounts. Only users of this specific router model with the vulnerable firmware are affected.

💻 Affected Systems

Products:

Mercury MR816v2 router

Versions: 4.8.7 Build 110427 Rel 36550n

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Mr816 Firmware by Mercurycom

View all CVEs affecting Mr816 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to change all settings, intercept traffic, install backdoors, or brick the device.

🟠

Likely Case

Administrative session theft leading to unauthorized configuration changes, DNS hijacking, or network reconnaissance.

🟢

If Mitigated

Limited to internal network attackers only, with proper network segmentation preventing lateral movement.

🌐 Internet-Facing: LOW - The vulnerability requires LAN access; the management interface should not be exposed to the internet.

🏢 Internal Only: HIGH - Any compromised device or malicious insider on the LAN can exploit this to gain administrative control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires LAN access but no authentication; basic web development skills sufficient to craft payload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Check vendor website for firmware updates. If unavailable, consider workarounds or replacement.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate router management interface to dedicated VLAN or restrict access to trusted management hosts only.

Disable DHCP Hostname Submission

all

If possible, disable or restrict DHCP client hostname submission functionality in router settings.

🧯 If You Can't Patch

Replace router with supported model receiving security updates
Implement strict network access controls to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface. If version matches affected version, assume vulnerable.

Check Version:

Login to router web interface and check System Status or About page for firmware version.

Verify Fix Applied:

Test XSS payload submission via DHCP hostname field; if sanitized/blocked, fix may be applied.

📡 Detection & Monitoring

Log Indicators:

Unusual DHCP requests with long or JavaScript-containing hostnames
Multiple failed admin login attempts from unexpected sources

Network Indicators:

HTTP requests to router management interface with suspicious parameters
Unexpected outbound connections from router

SIEM Query:

source="router_logs" AND (hostname CONTAINS "<script>" OR hostname CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-65289

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (22.1th percentile)

Published: December 9, 2025

Last Updated: December 12, 2025

🔗 References

https://damiri.fr/en/cve/CVE-2025-65289 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65289, you might also want to check these: