Login Sign Up

CVE-2025-70545

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored cross-site scripting vulnerability in the PPC (Belden) ONT 2K05X router's web management interface allows remote, unauthenticated attackers to inject malicious JavaScript that persists and executes when users access the interface. This affects organizations using the vulnerable router firmware version, potentially compromising network management security.

💻 Affected Systems

Products:
  • PPC (Belden) ONT 2K05X router
Versions: Firmware v1.1.9_206L
Operating Systems: Embedded router OS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the Common Gateway Interface (CGI) component of the web management interface.

📦 What is this software?

Ppc 2k05x Firmware by Belden

View all CVEs affecting Ppc 2k05x Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise leading to network interception, credential theft, and lateral movement into connected systems.

🟠

Likely Case

Session hijacking, credential theft from administrators, and unauthorized configuration changes to the router.

🟢

If Mitigated

Limited impact if interface is not internet-facing and access is restricted to trusted users only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

GitHub repository contains exploit details; unauthenticated nature makes exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://ppc.com

Restart Required: No

Instructions:

Check vendor website for firmware updates; if available, download and apply through web interface or console.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Temporarily disable the vulnerable web interface to prevent exploitation.

Use console/SSH to disable HTTP/HTTPS services: 'no ip http server' and 'no ip http secure-server' (Cisco-like syntax; adjust for actual CLI)

Restrict Access with ACLs

all

Implement access control lists to limit web interface access to trusted IPs only.

Configure firewall rules to allow only specific management IPs to access router web interface on ports 80/443

🧯 If You Can't Patch

  • Isolate router on separate VLAN with strict network segmentation
  • Implement web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > Status) or CLI command 'show version'; if v1.1.9_206L, likely vulnerable.

Check Version:

show version

Verify Fix Applied:

After applying any firmware update, verify version is no longer v1.1.9_206L; test XSS payload injection in CGI parameters.

📡 Detection & Monitoring

Log Indicators:

  • Unusual CGI parameter values in web server logs
  • Multiple failed login attempts followed by successful access

Network Indicators:

  • HTTP requests with JavaScript payloads in parameters to router IP
  • Unexpected outbound connections from router

SIEM Query:

source="router_logs" AND (url="*cgi*" AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2025-70545
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.01% exploit probability (0.7th percentile)
Published: February 4, 2026
Last Updated: February 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70545, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)