CVE-2025-64054

CriticalPublic PoC

Published: 05 December 2025

Published

05 December 2025

Modified

09 January 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0016 36.6th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64054 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Fanvil X210 Firmware. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of POST request inputs at the vulnerable /cgi-bin/webconfig endpoint to block malicious XSS payloads before processing.

SI-15 Information Output Filtering good match

prevent

Mandates filtering of reflected outputs from the upload endpoint to prevent injected scripts from executing in the victim's browser.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and patching of the specific XSS flaw in Fanvil x210 firmware version 2.12.20.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Reflected XSS vulnerability in a public-facing web endpoint (/cgi-bin/webconfig) on Fanvil x210 network device enables unauthenticated exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint.

Deeper analysisAI

CVE-2025-64054 is a reflected Cross-Site Scripting (XSS) vulnerability affecting Fanvil x210 devices running firmware version 2.12.20. The flaw exists in the /cgi-bin/webconfig?page=upload&action=submit endpoint, where a crafted POST request can inject malicious scripts. It is classified under CWE-79 and carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for high-impact consequences across confidentiality, integrity, and availability.

Unauthenticated attackers on the network can exploit this vulnerability by tricking users into interacting with a maliciously crafted POST request, such as via a phishing link or social engineering. Successful exploitation leads to reflected XSS, enabling denial of service on the targeted device or, in some cases, potential execution of arbitrary commands within the victim's browser context, leveraging the changed scope for broader impact.

Mitigation details and advisories are available from the vendor at http://fanvil.com and in the SpikeReply advisory at https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64054.md, published on 2025-12-05. Security practitioners should consult these resources for patching instructions or workarounds specific to Fanvil x210 firmware updates.