CVE-2025-2864: Reflected Cross-Site Scripting (XSS) vulnerability in saTECH BCU

2.0 CVSS

Description

SaTECH BCU in its firmware version 2.1.3 allows an attacker to inject malicious code into the legitimate website owning the affected device, once the cookie is set. This attack only impacts the victim's browser (reflected XSS).

Classification

CVE ID: CVE-2025-2864

CVSS Base Severity: LOW

CVSS Base Score: 2.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Affected Products

Vendor: Arteche

Product: saTECH BCU

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.12% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2864
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu

Timeline

2025-03-28 14:40:12 UTC
CVE

Reflected Cross-Site Scripting (XSS) vulnerability in saTECH BCU