CVE-2025-2191 in A7600-A1
Summary
by MITRE • 03/11/2025
A vulnerability, which was classified as problematic, has been found in Claro A7600-A1 RNR4-A72T-2x16_v2110403_CLA_32_160817. Affected by this issue is some unknown functionality of the file /form2pingv6.cgi of the component Ping6 Diagnóstico. The manipulation of the argument ip6addr with the input leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/12/2026
This vulnerability represents a cross site scripting flaw in the Claro A7600-A1 RNR4-A72T-2x16_v2110403_CLA_32_160817 firmware version affecting the Ping6 Diagnóstico component. The specific weakness exists within the /form2pingv6.cgi file where the ip6addr parameter fails to properly sanitize user input before processing. This allows malicious actors to inject arbitrary script code through the ping6 diagnostic functionality, creating a persistent security risk for devices running this firmware. The vulnerability is classified as remotely exploitable, meaning attackers can leverage it without requiring physical access to the device or local network presence. The issue stems from inadequate input validation and output encoding mechanisms within the web interface component, which directly violates established security principles for web application development. According to CWE standards, this corresponds to CWE-79, which specifically addresses Cross-Site Scripting vulnerabilities resulting from insufficient sanitization of user-controllable data.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to execute malicious code within the context of the victim's browser session. This capability allows for session hijacking, credential theft, and potential lateral movement within network environments where the affected devices operate. Attackers can craft malicious URLs containing the XSS payload that, when visited by an authenticated user, would execute the injected scripts and compromise the device's web interface. The fact that this exploit has been publicly disclosed and is actively available increases the risk profile significantly, as it eliminates the element of zero-day advantage that would otherwise make such vulnerabilities more difficult to exploit. The lack of vendor response to prior disclosure attempts suggests either inadequate security monitoring or delayed patch development, leaving users exposed to potential exploitation for extended periods. This vulnerability directly maps to ATT&CK technique T1566.001, which covers spearphishing via web links, and T1059.007, covering scripting through web shells or malicious scripts.
Mitigation strategies should include immediate implementation of input validation and output encoding measures within the affected web application component. The firmware should be updated to properly sanitize all user inputs, particularly the ip6addr parameter, before processing or displaying them in web responses. Network segmentation and access controls should be implemented to limit exposure of affected devices to untrusted networks. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in other web interface components. Organizations should also consider implementing web application firewalls to detect and block malicious payloads attempting to exploit this vulnerability. The vendor's failure to respond to initial disclosure indicates a need for enhanced security monitoring and incident response procedures. Additionally, device administrators should monitor for any suspicious network activity or unauthorized access attempts that could indicate exploitation attempts, and maintain detailed logging of web interface access for forensic analysis purposes.