CVE-2026-25073 in XikeStor SKS8310-8X
Summary
by MITRE • 03/07/2026
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary script content through the System Name field. Attackers can inject malicious scripts that execute in a victim's browser when the stored value is viewed due to improper output encoding.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2026
The CVE-2026-25073 vulnerability represents a critical stored cross-site scripting flaw within the XikeStor SKS8310-8X Network Switch firmware ecosystem. This security weakness affects firmware versions 1.04.B07 and earlier, creating a persistent threat vector that can be exploited by authenticated attackers who possess legitimate access credentials to the network switch management interface. The vulnerability specifically resides in the System Name field configuration parameter, which serves as an entry point for malicious code injection attacks that can compromise the integrity of the web-based management interface.
The technical implementation of this vulnerability stems from inadequate output encoding practices within the firmware's web interface processing logic. When administrators or authorized users input data into the System Name field, the firmware fails to properly sanitize or encode the submitted content before storing it within the device's configuration database. This insufficient validation allows attackers to inject malicious JavaScript code that gets stored persistently within the switch's memory. The vulnerability is classified under CWE-79 as a classic stored XSS flaw, where malicious input is first stored and then subsequently executed in the context of other users' browsers when they view the affected field.
The operational impact of this vulnerability extends beyond simple script execution, creating a potential attack chain that can lead to significant security breaches within network infrastructure. An authenticated attacker who successfully injects malicious code can leverage this vulnerability to perform session hijacking, steal administrative credentials, or redirect users to phishing sites. The stored nature of the vulnerability means that the malicious payload remains active until the system is rebooted or the configuration is manually cleared, making it particularly dangerous for long-running network equipment. This flaw directly maps to several ATT&CK techniques including T1566 for credential access through malicious web content and T1071 for application layer protocol usage.
Organizations utilizing XikeStor SKS8310-8X switches with affected firmware versions face substantial risk exposure, as the vulnerability can be exploited by both internal malicious actors and external threat groups with legitimate access credentials. The attack surface is further expanded when considering that network administrators often maintain persistent browser sessions with elevated privileges, making successful exploitation particularly damaging. The vulnerability's persistence across system reboots requires comprehensive remediation strategies beyond simple patching, including manual clearing of affected configuration fields and thorough monitoring of network traffic for potential exploitation attempts. Security teams should implement immediate mitigation measures including access control reviews, network segmentation, and enhanced monitoring of management interface activities to detect potential exploitation attempts.