CVE-2023-22971 in HX200
Summary
by MITRE • 01/26/2023
Cross Site Scripting (XSS) vulnerability in Hughes Network Systems Router Terminal for HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48, and HN7000S v6.9.0.37, allows unauthenticated attackers to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/06/2025
This cross site scripting vulnerability exists within Hughes Network Systems router terminals affecting multiple device models including HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48, and HN7000S v6.9.0.37. The flaw stems from insufficient input validation and output encoding mechanisms within the web interface of these network devices, creating an avenue for malicious actors to inject arbitrary javascript code through crafted frame elements. This vulnerability is classified as CWE-79 - Improper Neutralization of Input During Web Page Generation, which represents one of the most prevalent web application security flaws. The vulnerability permits unauthenticated attackers to exploit the web interface without requiring any prior credentials or access privileges, making it particularly dangerous as it can be leveraged by anyone who can reach the affected devices.
The technical implementation of this XSS vulnerability occurs when the router's web interface fails to properly sanitize user-supplied data that is subsequently rendered in HTML output contexts. Attackers can manipulate frame parameters or other input fields to inject malicious javascript payloads that execute within the context of legitimate user sessions. When victims navigate to affected pages or interact with compromised frames, the injected code executes in their browser, potentially enabling session hijacking, credential theft, or redirection to malicious sites. The vulnerability specifically impacts the web-based management interfaces of these network devices, which are typically accessible via standard http or https protocols from network clients. This creates a significant attack surface since these devices often reside in network environments where they may be exposed to untrusted network segments or where users may inadvertently interact with compromised management interfaces.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables sophisticated attack vectors that can compromise entire network infrastructures. An attacker who successfully exploits this vulnerability can steal session cookies, modify network configurations, or redirect users to phishing sites that appear legitimate. The unauthenticated nature of the attack means that adversaries do not need to establish initial access to the network or possess valid credentials to exploit the vulnerability, which significantly lowers the barrier to successful exploitation. This vulnerability can be particularly damaging in enterprise environments where network administrators rely on these devices for critical infrastructure management, as successful exploitation could lead to complete network compromise. The affected devices operate at the network edge, making them attractive targets for attackers seeking to establish persistent access points or to pivot to other network resources.
Organizations should immediately implement mitigations including applying manufacturer patches and firmware updates as soon as they become available, which would address the root cause of the input validation failures. Network segmentation should be implemented to limit access to these management interfaces to trusted administrative networks only, reducing the attack surface for unauthenticated exploitation. Additional protective measures include implementing web application firewalls that can detect and block suspicious javascript payloads, enabling strict content security policies, and conducting regular security assessments of network device configurations. The vulnerability aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, where attackers could potentially use the XSS vulnerability to deliver malicious payloads to users or to establish persistent access through stolen session tokens. Network administrators should also implement monitoring solutions to detect anomalous traffic patterns or unauthorized access attempts to these management interfaces, as the exploitation of such vulnerabilities often generates detectable network behavior that can be used for incident response and forensic analysis.