Number: NV25-005
CVE: CVE-2025-8153

Overview

UNIVERGE IX/IX-R/IX-V series routers contain a cross-site scripting vulnerability (CVE-2025-8153).
 - If a user accesses a specially crafted URL, arbitrary scripts may be executed on the user's browser.
 - For UNIVERGE IX series routers, if a user logged into the product's management interface sends a specially crafted WebGUI message, arbitrary scripts could execute arbitrary CLI commands on the product.

Products Affected

UNIVERGE IX Series

Affected Version

UNIVERGE IX Series:
　　All versions from Ver.9.5 to Ver.10.7
　　from Ver.10.8.21 to Ver.10.8.36
　　from Ver.10.9.11 to Ver.10.9.24
　　from Ver.10.10.21 to Ver.10.10.31, Ver.10.11.6
　　IX2105/IX2106/IX2107/IX2207/IX2025/IX2215/IX2235/IX2310/IX3015/IX3110/IX3315

UNIVERGE IX-R/IX-VSeries:
　　Ver1.3.16, Ver1.3.21
　　IX-R2520/IX-R2530/IX-R2610-4G/IX-V100

Solution

Please update.
UNIVERGE IX Series
https://jpn.nec.com/univerge/ix/Support/Security-Info/NV25-005.html
UNIVERGE IX-R/IX-V Series
https://jpn.nec.com/univerge/ix-nrv//Support/Security-Info/NV25-005.html

If you cannot apply the update, apply the following workaround.
 - Disable the WebGUI

References

CVE-2025-8153
https://www.cve.org/CVERecord?id=CVE-2025-8153
UNIVERGE IX Series
https://jpn.nec.com/univerge/ix/Support/Security-Info/NV25-005.html
UNIVERGE IX-R/IX-V Series
https://jpn.nec.com/univerge/ix-nrv//Support/Security-Info/NV25-005.html

Credit

Update