Overview
| Field | Details |
|---|---|
| CVE ID | CVE-2025-27259 |
| Severity | Low |
| CVSS Score | 2.4 |
| CVSS Vector | CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-79 — Cross-Site Scripting (XSS) |
| Vendor | Ericsson |
| Affected Product | Ericsson Network Manager (ENM) |
| Affected Versions | All versions before 25.2 GA |
| Disclosure Date | October 13, 2025 |
Description
A Cross-Site Scripting (XSS) vulnerability in Ericsson Network Manager (ENM) allows an authenticated, adjacent network attacker to inject malicious scripts into the application. The vulnerability requires user interaction and can be used to exfiltrate limited data or redirect victims to arbitrary sites and domains.
Impact
A low-privileged attacker on the adjacent network can, upon victim interaction, achieve limited confidentiality and integrity impact — including exfiltration of session data or user redirection to attacker-controlled domains.
Remediation
Upgrade Ericsson Network Manager to version 25.2 GA or later.
References
Credits
Discovered by the TIM Security Red Team Research team:
Andrea Carlo Maria Dattola, Cristina Coppola, Carlo Pannullo, Massimiliano Brolli.