CVE-2025-14186

Name of the Vulnerable Software and Affected Versions Grandstream GXP1625 version 1.0.7.4

Description A security flaw exists in Grandstream GXP1625 version 1.0.7.4. The issue is related to basic cross site scripting, which can be triggered by manipulating the vpn ip argument within an unknown function of the file /cgi-bin/api.values.post of the Network Status Page component. Remote exploitation is possible. The exploit has been released publicly. The vendor was contacted regarding this disclosure but did not respond.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the /cgi-bin/api.values.post file to minimize the risk of exploitation.