CVE-2025-2864: Reflected Cross-Site Scripting (XSS) vulnerability in saTECH BCU
First published: Fri Mar 28 2025(Updated: )
SaTECH BCU in its firmware version 2.1.3 allows an attacker to inject malicious code into the legitimate website owning the affected device, once the cookie is set. This attack only impacts the victim's browser (reflected XSS).
Credit: cve-coordination@incibe.es
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SaTECH BCU |
Remedy
The vulnerability has been fixed by Arteche in firmware version 2.2.1.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-2864?
CVE-2025-2864 has a high severity rating due to its potential for code injection and exploitation of victims' browsers.
How do I fix CVE-2025-2864?
To address CVE-2025-2864, update the firmware of the SaTECH BCU to the latest version provided by the vendor.
What type of attack does CVE-2025-2864 enable?
CVE-2025-2864 enables a reflected cross-site scripting (XSS) attack that affects the victim's browser.
Who is impacted by CVE-2025-2864?
Users of the SaTECH BCU firmware version 2.1.3 are at risk of being impacted by CVE-2025-2864.
Can CVE-2025-2864 lead to further compromises?
Yes, if successfully exploited, CVE-2025-2864 could lead to further compromises by allowing attackers to execute malicious code in user browsers.
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/references
- agent/title
- agent/description
- agent/type
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/author
- agent/severity
- agent/event
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/satech
- canonical/satech bcu