Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-26202 PoC — DZS ZNID-GPON-2428B1-0ST 跨站脚本漏洞

Source
https://github.com/A17-ba/CVE-2025-26202-Details
Associated Vulnerability
Title:DZS ZNID-GPON-2428B1-0ST 跨站脚本漏洞 (CVE-2025-26202)
Description:Cross-Site Scripting (XSS) vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings (2.4GHz & 5GHz bands) in DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an administrator views the passphrase via the "Click here to display" option on the Status page
Readme
# CVE-2025-26202-Details

# CVE-2025-26202: Cross-Site Scripting (XSS) in DZS Router Web Interface

## Description
A **Cross-Site Scripting (XSS)** vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings (2.4GHz & 5GHz bands) in the DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an administrator views the passphrase via the "Click here to display" option on the Status page.

## Affected Products
- **Vendor**: DZS
- **Product**: ZNID-GPON-2428B1-0ST
- **Firmware Version**: S4.2.022

## Vulnerability Type
- **Cross-Site Scripting (XSS)**

## Impact
- **Session Hijacking**: An attacker can hijack the administrator's session.
- **Arbitrary Actions**: An attacker can perform actions on behalf of the authenticated user.

## Affected Component
The vulnerability exists in the following pages:
- Wireless Security Configuration Page (2.4GHz & 5GHz)
- WPA/WAPI Passphrase Field
- Status Page (`<a href="javascript:pin_window()">...</a>`)

## Attack Vectors
### Steps to Reproduce
1. **Login to the Router Web Interface**
   - Open a web browser and navigate to the router's admin panel (e.g., `http://192.168.100.1`).
   - Enter valid admin credentials.

2. **Inject the Malicious XSS Payload in Both Wireless Bands**
   - **For 2.4GHz Band (wl0):**
     1. Navigate to **Wireless > Security** under 2.4GHz (wl0).
     2. Locate the **WPA/WAPI Passphrase** field.
     3. Inject the following XSS payload into the passphrase field:
        ```html
        </center><script>alert("XSS Triggered")</script>
        ```
     4. Click **Apply/Save** to store the malicious payload.
   - **For 5GHz Band (wl1):**
     1. Repeat the same steps as above in 5GHz (wl1) Security Settings.

3. **Trigger the XSS Execution**
   - **For 2.4GHz Band (wl0):**
     1. Navigate to **Status** from the navigation menu.
     2. Click **2.4GHz (wl0)**.
     3. Click **"Click here to display"** next to the Password field.
     4. The XSS payload executes inside the pop-up.
   - **For 5GHz Band (wl1):**
     1. Perform the same steps in **Status > 5GHz (wl1)** to trigger the XSS.

## Discoverer
- **Name**: Asim Barnawi

## References
- [DZS Official Website](https://dzsi.com)
- [ZNID-GPON-2428B1-0ST Product Page](https://dzsi.com/product/2428b1/)

## Mitigation
- **Vendor Action**: The vendor should sanitize user input in the WPA/WAPI Passphrase field to prevent the execution of malicious scripts.

---

**Disclaimer**: This repository is for informational purposes only. The discoverer and publisher of this information are not responsible for any misuse of the disclosed vulnerability.
File Snapshot

 [4.0K]  /data/pocs/5973a6a5303dd768c7b5156eb7f74ed5b786610d
└── [2.7K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →