CVE-2025-2609
Published: 21 March 2025
Summary
CVE-2025-2609 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Magnussolution Magnusbilling. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-2609 is an improper neutralization of input during web page generation vulnerability, also described as cross-site scripting, that affects the login logging component of MagnusBilling through version 7.3.0. The flaw resides in the MagnusLog.php file and permits unauthenticated users to store HTML content that is later rendered in the viewable log at /mbilling/index.php/logUsers/read.
An attacker can supply crafted input during authentication attempts that is persisted without sanitization; when an administrator or other user views the logUsers component, the injected content executes in the victim's browser under the application's origin, enabling theft of session data or other actions consistent with the CVSS vector of network access, low complexity, no privileges, and required user interaction with changed scope.
Public references include a commit that addresses the issue in the magnusbilling7 repository along with advisories from VulnCheck and technical write-ups that outline the affected logging path and recommend applying the available patch or upgrading beyond 7.3.0.
EPSS for the CVE reached a peak of 0.0552 on 2025-12-11 before receding to the current value of 0.0318.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7200
Vulnerability details
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is associated with program files protected/components/MagnusLog.Php. This…
more
issue affects MagnusBilling: through 7.3.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing web app directly enables T1190 for initial access via unauthenticated injection; facilitates T1539 by allowing injected scripts to steal session cookies/credentials from users viewing logs.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates stored XSS by requiring output filtering prior to web page generation to ensure consistency with declared content type, preventing execution of injected HTML in the log viewer.
Prevents storage of malicious HTML inputs in login logs by validating all inputs to the MagnusLog.Php component against defined criteria.
Addresses the specific flaw in MagnusLog.Php by requiring identification, testing, and deployment of the available patch to remediate the improper neutralization vulnerability.