CVE-2025-67448: Neterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
A stored cross-site scripting (XSS) vulnerability exists in the SMS module of Neterbit NW-431F routers running firmware version 20241014-IR03 and earlier. An attacker can craft a malicious SMS message and send it to a router user; when that user views the message, the embedded script executes in their browser. This allows attackers to steal session tokens, redirect users, inject fake content, or perform actions on behalf of the victim—all without the victim realizing they've been compromised through what appears to be a routine SMS.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
The SMS module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to stored XSS. The application does not properly sanitize user input in SMS messages before storing and displaying them. An attacker can send an SMS containing a malicious XSS payload, which will be executed in the context of the victim's browser when the message is viewed.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is a classic stored XSS (CWE-79) in the router's web-based SMS interface. The router receives SMS messages and stores them in a database or filesystem without sanitizing HTML or JavaScript characters. When the administrative or user interface renders stored SMS messages for display, the malicious payload is executed in the browser with the privileges of the logged-in session. The CVSS 3.1 score of 7.1 (HIGH) reflects the network attack vector (AV:N), low attack complexity (AC:L), lack of privilege requirements (PR:N), but requirement for user interaction (UI:R) to view the message and the high confidentiality impact (C:H). The integrity impact is limited (I:L) since the attacker cannot directly modify server state, and there is no availability impact.
Business impact
Routers are often deployed in small offices, retail locations, and branch operations where they serve as critical network chokepoints. Compromise of a router's SMS or administrative interface can lead to unauthorized access to network resources, interception of communications, or lateral movement into connected systems. An attacker leveraging this vulnerability could steal credentials visible in the interface, capture browser session tokens, or redirect users to phishing sites when they attempt to manage the router. For organizations relying on this model for remote management or SMS-based notifications, the impact includes loss of confidentiality of sensitive network configuration data and potential integrity issues if credentials are harvested.
Affected systems
Neterbit NW-431F routers with firmware version 20241014-IR03 and all earlier versions are affected. Organizations using this specific router model for network access or IoT gateway functionality should verify their firmware version in the device settings or management interface. The vendor or product distribution channel should be consulted for a definitive list of all affected firmware revisions, as the advisory states 'and before' without specifying the earliest affected version.
Exploitability
Exploitation requires the attacker to send an SMS to the router and the victim to view that message through the web interface—a reasonably achievable scenario in environments where router SMS features are actively used for alerting or two-factor authentication. The network-accessible attack vector and lack of authentication requirement for sending SMS (if the router accepts external messages) lower the barrier further. However, the requirement for user interaction (viewing the message) means this is not a worm-like vulnerability that spreads automatically. Exploit code is not known to be publicly available, and the vulnerability is not tracked on CISA's Known Exploited Vulnerabilities list, reducing immediate threat likelihood—but organizations should not interpret this as a signal to delay patching.
Remediation
The primary remediation is to update the Neterbit NW-431F firmware to a patched version released after 20241014-IR03. Customers should verify the availability of a firmware update from Neterbit and apply it to all affected devices. Interim mitigation measures include disabling the SMS module in the router's settings if it is not actively required, restricting access to the router's web interface to trusted IP addresses via access control lists, and monitoring SMS logs for unexpected or suspicious messages containing special characters or script-like content.
Patch guidance
Contact Neterbit support or check the vendor's security advisory page for the latest firmware version addressing CVE-2025-67448. Firmware updates for router devices should be applied during a maintenance window to avoid network interruption. Before deploying to production, test the update on a non-critical device or in a lab environment to confirm compatibility with your network configuration. Document the firmware version after patching to streamline future vulnerability assessments.
Detection guidance
Monitor router SMS logs for messages containing HTML tags (< or >), JavaScript keywords (script, onclick, onerror, onload), or other encoded variations that might indicate payload delivery. Look for unusual patterns in SMS sender identities or timestamps. If you have access to web server or application logs, search for POST requests to SMS viewing or retrieval endpoints with encoded or obfuscated payloads. Network-based detection is limited unless the router exports logs to a SIEM; in that case, define alerts for XSS-like patterns in SMS message fields.
Why prioritize this
This vulnerability merits prompt attention despite a lack of known active exploitation. The HIGH CVSS score reflects the sensitive nature of router administration interfaces and the potential for lateral movement. The attack is feasible in real-world scenarios where routers process incoming SMS (e.g., 4G/LTE routers, IoT gateways). Organizations should prioritize patching within 30 days, sooner if the router is internet-facing or handles critical network functions. The fact that it is not yet on the KEV list should not delay action—KEV inclusion is not a prerequisite for real-world risk.
Risk score, explained
The CVSS 3.1 score of 7.1 (HIGH) balances several factors: network accessibility and no authentication requirement support a high score, but the UI:R (user interaction) requirement prevents a critical rating. The high confidentiality impact reflects the sensitivity of credentials and session tokens stored in router interfaces. The limited integrity impact (I:L) acknowledges that the attacker cannot directly alter router configuration or network state through XSS alone, though session hijacking could enable further actions. The zero availability impact is correct—the vulnerability does not cause denial of service.
Frequently asked questions
Can this vulnerability be exploited if the router does not receive external SMS messages?
If the router is configured to block inbound SMS or does not actively receive messages from external sources, the attack surface is reduced. However, internal users or administrators who send test SMS messages to the device could inadvertently deliver a payload. Best practice is to assume the router may process untrusted SMS and patch regardless.
Does this affect my network if I do not use the router's SMS or web interface features?
If the SMS module is present in firmware but disabled, the vulnerability code path may still exist in memory. While the practical risk is lower, you should still apply the patch to eliminate the issue entirely. Additionally, firmware updates often include other security fixes unrelated to this vulnerability.
What is the difference between stored and reflected XSS, and why does it matter here?
Stored XSS means the malicious payload is saved in the router's database and executed every time any user views it—making it more dangerous because the attacker does not need to trick the victim into clicking a link. Reflected XSS requires the attacker to craft a special URL and convince the victim to visit it. Stored XSS in a router's SMS module is particularly serious because victims may routinely check messages without suspicion.
If we update the firmware, are we protected from all router vulnerabilities?
Patching this vulnerability closes CVE-2025-67448, but routers may contain other unrelated vulnerabilities. After patching, continue to follow secure practices: use strong administrative passwords, disable unnecessary services, and keep monitoring vendor advisories for future issues.
This analysis is provided for informational purposes and represents a point-in-time assessment based on publicly available information as of the publication date. Vulnerability details, patch availability, and threat landscape may change; consult Neterbit's official security advisory and product documentation for authoritative remediation guidance. SEC.co does not endorse or validate specific vendor products or versions and assumes no liability for patches or mitigations applied based on this intelligence. Organizations should conduct their own risk assessment, testing, and validation before deploying updates to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-33245HIGHReact Router 7.7.0-7.13.1 RSC XSS Vulnerability – Patch Available