Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-26202 PoC — DZS ZNID-GPON-2428B1-0ST 跨站脚本漏洞

Source
https://github.com/A17-ba/CVE-2025-26202-Details
Associated Vulnerability
Title:DZS ZNID-GPON-2428B1-0ST 跨站脚本漏洞 (CVE-2025-26202)
Description:DZS ZNID-GPON-2428B1-0ST是DZS公司的一款路由器。 DZS ZNID-GPON-2428B1-0ST存在跨站脚本漏洞,该漏洞源于容易受到跨站脚本攻击,允许注入恶意代码。
Readme
# CVE-2025-26202-Details

# CVE-2025-26202: Cross-Site Scripting (XSS) in DZS Router Web Interface

## Description
A **Cross-Site Scripting (XSS)** vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings (2.4GHz & 5GHz bands) in the DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an administrator views the passphrase via the "Click here to display" option on the Status page.

## Affected Products
- **Vendor**: DZS
- **Product**: ZNID-GPON-2428B1-0ST
- **Firmware Version**: S4.2.022

## Vulnerability Type
- **Cross-Site Scripting (XSS)**

## Impact
- **Session Hijacking**: An attacker can hijack the administrator's session.
- **Arbitrary Actions**: An attacker can perform actions on behalf of the authenticated user.

## Affected Component
The vulnerability exists in the following pages:
- Wireless Security Configuration Page (2.4GHz & 5GHz)
- WPA/WAPI Passphrase Field
- Status Page (`<a href="javascript:pin_window()">...</a>`)

## Attack Vectors
### Steps to Reproduce
1. **Login to the Router Web Interface**
   - Open a web browser and navigate to the router's admin panel (e.g., `http://192.168.100.1`).
   - Enter valid admin credentials.

2. **Inject the Malicious XSS Payload in Both Wireless Bands**
   - **For 2.4GHz Band (wl0):**
     1. Navigate to **Wireless > Security** under 2.4GHz (wl0).
     2. Locate the **WPA/WAPI Passphrase** field.
     3. Inject the following XSS payload into the passphrase field:
        ```html
        </center><script>alert("XSS Triggered")</script>
        ```
     4. Click **Apply/Save** to store the malicious payload.
   - **For 5GHz Band (wl1):**
     1. Repeat the same steps as above in 5GHz (wl1) Security Settings.

3. **Trigger the XSS Execution**
   - **For 2.4GHz Band (wl0):**
     1. Navigate to **Status** from the navigation menu.
     2. Click **2.4GHz (wl0)**.
     3. Click **"Click here to display"** next to the Password field.
     4. The XSS payload executes inside the pop-up.
   - **For 5GHz Band (wl1):**
     1. Perform the same steps in **Status > 5GHz (wl1)** to trigger the XSS.

## Discoverer
- **Name**: Asim Barnawi

## References
- [DZS Official Website](https://dzsi.com)
- [ZNID-GPON-2428B1-0ST Product Page](https://dzsi.com/product/2428b1/)

## Mitigation
- **Vendor Action**: The vendor should sanitize user input in the WPA/WAPI Passphrase field to prevent the execution of malicious scripts.

---

**Disclaimer**: This repository is for informational purposes only. The discoverer and publisher of this information are not responsible for any misuse of the disclosed vulnerability.
File Snapshot

 [4.0K]  /data/pocs/5973a6a5303dd768c7b5156eb7f74ed5b786610d
└── [2.7K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.