Cyber Resilience

CVE-2025-2609

HighPublic PoC

Published: 21 March 2025

Published
21 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0318 87.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2609 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Magnussolution Magnusbilling. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-2609 is an improper neutralization of input during web page generation vulnerability, also described as cross-site scripting, that affects the login logging component of MagnusBilling through version 7.3.0. The flaw resides in the MagnusLog.php file and permits unauthenticated users to store HTML content that is later rendered in the viewable log at /mbilling/index.php/logUsers/read.

An attacker can supply crafted input during authentication attempts that is persisted without sanitization; when an administrator or other user views the logUsers component, the injected content executes in the victim's browser under the application's origin, enabling theft of session data or other actions consistent with the CVSS vector of network access, low complexity, no privileges, and required user interaction with changed scope.

Public references include a commit that addresses the issue in the magnusbilling7 repository along with advisories from VulnCheck and technical write-ups that outline the affected logging path and recommend applying the available patch or upgrading beyond 7.3.0.

EPSS for the CVE reached a peak of 0.0552 on 2025-12-11 before receding to the current value of 0.0318.

EU & UK References

Vulnerability details

Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is associated with program files protected/components/MagnusLog.Php. This…

more

issue affects MagnusBilling: through 7.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS in public-facing web app directly enables T1190 for initial access via unauthenticated injection; facilitates T1539 by allowing injected scripts to steal session cookies/credentials from users viewing logs.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2610Same product: Magnussolution Magnusbilling
CVE-2024-13094Shared CWE-79
CVE-2025-27269Shared CWE-79
CVE-2026-21284Shared CWE-79
CVE-2025-23960Shared CWE-79
CVE-2026-34932Shared CWE-79
CVE-2025-26581Shared CWE-79
CVE-2024-57030Shared CWE-79
CVE-2024-40748Shared CWE-79
CVE-2026-21264Shared CWE-79

Affected Assets

magnussolution
magnusbilling
≤ 7.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates stored XSS by requiring output filtering prior to web page generation to ensure consistency with declared content type, preventing execution of injected HTML in the log viewer.

prevent

Prevents storage of malicious HTML inputs in login logs by validating all inputs to the MagnusLog.Php component against defined criteria.

prevent

Addresses the specific flaw in MagnusLog.Php by requiring identification, testing, and deployment of the available patch to remediate the improper neutralization vulnerability.

References