PT-2025-29564 · Nexxt Solutions · Nexxt Solutions Ncm-X1800 Mesh Router
Published
2025-07-15
·
Updated
2025-07-15
·
CVE-2025-52378
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Nexxt Solutions NCM-X1800 Mesh Router versions UV1.2.7 and below
Description
A Cross-Site Scripting (XSS) issue exists in the Nexxt Solutions NCM-X1800 Mesh Router firmware. This allows attackers to inject JavaScript code that is executed within the context of administrator sessions. The vulnerability is triggered when viewing the device management page, specifically through manipulation of the
DEVICE ALIAS parameter in the /web/um device set aliasname API endpoint.Recommendations
Update Nexxt Solutions NCM-X1800 Mesh Router firmware to a version newer than UV1.2.7.
As a temporary workaround, restrict access to the
/web/um device set aliasname API endpoint.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nexxt Solutions Ncm-X1800 Mesh Router