CVE-2018-25131 in GR10
Summary
by MITRE • 12/24/2025
Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a stored cross-site scripting vulnerability in the configuration file upload functionality. Attackers can upload a malicious HTML file to that executes arbitrary JavaScript in a user's browser session when viewed.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/25/2025
The vulnerability CVE-2018-25131 represents a critical stored cross-site scripting flaw discovered in Leica Geosystems GNSS receivers including models GR10/GR25/GR30/GR50 running firmware version 4.30.063. This security weakness resides within the configuration file upload functionality of these industrial-grade global navigation satellite system devices, which are widely deployed in surveying, mapping, and geospatial applications. The affected devices are commonly used in professional environments where precision positioning and data collection are paramount, making them attractive targets for cyber adversaries seeking to compromise operational integrity.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding within the device's web interface configuration upload mechanism. When authorized users upload configuration files through the device's web management portal, the system fails to properly sanitize or validate the file contents before storing them. This allows attackers to craft malicious HTML files containing embedded JavaScript code that gets stored on the device's filesystem. When legitimate users subsequently view these configuration files through the web interface, the embedded scripts execute within their browser context, creating a persistent cross-site scripting attack vector. This vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws in web applications and devices with web interfaces.
The operational impact of this vulnerability extends beyond simple script execution as it represents a significant threat to the security posture of geospatial surveying operations. Attackers could potentially execute malicious code that steals session cookies, redirects users to phishing sites, or even modifies device configuration parameters to disrupt surveying operations. The persistent nature of stored XSS means that once an attacker successfully uploads malicious content, the vulnerability remains active until the configuration file is manually removed or the device is reset. This creates a long-term risk for organizations relying on these devices for critical infrastructure work, particularly in sectors such as construction, land management, and surveying where data integrity is crucial. The vulnerability also aligns with ATT&CK technique T1566.001 which covers phishing with malicious attachments, as the initial compromise often occurs through file upload mechanisms.
Mitigation strategies for this vulnerability should include immediate firmware updates from Leica Geosystems to address the stored XSS flaw, network segmentation of these devices to limit access to authorized personnel only, and implementation of web application firewalls to detect and block malicious file uploads. Organizations should also conduct regular security assessments of industrial control systems and implement strict access controls for device management interfaces. Additionally, security awareness training for personnel who manage these devices is essential to prevent social engineering attacks that might lead to successful exploitation. The vulnerability highlights the importance of security-by-design principles in industrial IoT devices and underscores the need for comprehensive security testing of embedded web interfaces in critical infrastructure equipment.