CVE-2025-13650 in ZeusWeb
Summary
by MITRE • 02/11/2026
An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Surname’ parameter of the ‘Create Account’ operation at the URL: https://zeus.microcom.es:4040/index.html?zeus6=true . This issue affects ZeusWeb: 6.1.31.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability identified as CVE-2025-13650 represents a critical cross-site scripting flaw within the ZeusWeb application version 6.1.31 distributed by Microcom. This security weakness manifests through the improper input validation of the Surname parameter during account creation processes, creating an exploitable condition that allows malicious actors to inject arbitrary JavaScript code into the web application's response. The vulnerability is particularly concerning because it does not require user authentication or registration to exploit, making it accessible to any individual with access to the targeted web interface. The attack vector specifically targets the Create Account functionality at the designated URL https://zeus.microcom.es:4040/index.html?zeus6=true, where the Surname field serves as the injection point for malicious payloads.
The technical implementation of this vulnerability stems from inadequate sanitization and validation of user-supplied input within the web application's backend processing logic. When users submit account creation requests with specially crafted JavaScript payloads in the Surname field, the application fails to properly escape or filter the input before incorporating it into the HTML response. This processing gap creates a persistent XSS vulnerability that enables attackers to execute malicious scripts within the context of other users' browsers. The vulnerability aligns with CWE-79 which specifically addresses Cross-Site Scripting flaws in web applications, where insufficient input validation allows malicious code execution in the victim's browser context. The attack scenario demonstrates how an unauthenticated user can leverage this flaw to compromise the security of legitimate users who interact with the vulnerable application.
The operational impact of this vulnerability extends beyond simple data theft or session hijacking, as it provides attackers with the capability to manipulate the application's behavior and potentially escalate privileges. An attacker could craft payloads that redirect users to malicious domains, steal session cookies, or even perform actions on behalf of authenticated users through the application's interface. The implications are particularly severe given that the application operates in a production environment where user data and system integrity are paramount. The vulnerability could enable attackers to access sensitive information, modify account details, or potentially gain unauthorized access to system resources depending on the application's access controls and the privileges associated with the ZeusWeb application. This represents a significant risk to user privacy and data integrity, as the vulnerability affects all users who interact with the account creation functionality.
Mitigation strategies for CVE-2025-13650 should focus on implementing comprehensive input validation and output encoding mechanisms within the ZeusWeb application. The primary defense involves sanitizing all user inputs, particularly those used in dynamic content generation, through proper HTML escaping and validation techniques. Organizations should implement Content Security Policy headers to limit the execution of unauthorized scripts and employ regular expression validation to filter out potentially malicious input patterns. Additionally, the application should utilize parameterized queries and secure coding practices to prevent injection attacks. The remediation process should include updating the ZeusWeb software to version 6.1.32 or later, which should contain patches addressing the specific XSS vulnerability. Security monitoring and logging should be enhanced to detect anomalous input patterns, and regular security assessments should be conducted to identify similar vulnerabilities in the application's codebase. These measures align with ATT&CK technique T1566 which addresses social engineering through malicious code injection, and should be implemented as part of a comprehensive security posture to prevent exploitation of similar vulnerabilities in the future.