Blog HackRTU

 

Aprende sobre vulnerabilidades, información técnica con una perspectiva diferente y estate a la última de todos los movimientos de HackRTU

 

Descubre los últimos artículos sobre ciberseguridad industrial, vulnerabilidades OT, análisis de dispositivos, investigaciones técnicas, 0‑days y noticias relevantes del sector. En el blog de HackRTU profundizamos en la seguridad de sistemas industriales, en la familia de estándares IEC 62443 y tendencias e investigación en el ámbito de la ciberseguridad industrial.

 

CVE-2025-13650 AFFECTING ZEUSWEB FROM MICROCOM

 

ADVISORY HRTU#0001

 

 

The HackRTU CNA has coordinated the new vulnerability CVE-2025-13650, from medium severity, in the ZeusWeb industrial SCADA solution of MICROCOM. This vulnerability has been discovered by Aarón Flecha Menéndez and Víctor Bello Cuevas.

 

DETAILS OF THE AFFECTED SOLUTION:

  • Provider: Microcom
  • Specific model: ZeusWeb
  • Affected firmware version: 6.1.31

 

SPECIFIC INFORMATION OF THE 0-DAY VULNERABILITY:

The vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, CWE and CAPEC vulnerability type for each vulnerability:

  • CVE-2025-13650: REFLECTED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB
    • CVSS v4.0: 5,1 (Medium)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
    • CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    • CAPEC-63 Cross-Site Scripting (XSS)
      • CAPEC-591 Reflected XSS
    • CPE 2.3 Applicability:
      • cpe:2.3:a:microcom:zeusweb:6.1.31:*:*:*:*:*:*:*
    • EPSS: **Will be updated as soon as published**

 

CVE DESCRIPTION:

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Surname’ parameter of the ‘Create Account’ operation at the URL: https://zeus.microcom.es:4040/index.html?zeus6=true.

This issue affects ZeusWeb: 6.1.31.

 

SOLUTIONS, MITIGATIONS AND INFORMATION:

The provider Microcom has implemented the new version 6.2.5 which solves the security problems detected in the previous version. The end user does not need to perform any update actions, as the software is cloud-based and managed by the provider, who has implemented the new version for all users.

 

REFERENCES:

Specific links related to the notice:

 

 

HACKRTU TEAM