CVE-2025-6185
CVE-2025-6185
CISA ICS Advisory
Summary
Leviton (formerly Obvius) AcquiSuite and Energy Monitoring Hub are vulnerable to reflected Cross-Site Scripting (XSS), allowing an attacker to craft a malicious payload in URL parameters, which would execute in a client browser when accessed by a user, steal session tokens, and control the service.
Versions Impacted
The products affected are :
| Vendor | Product | Version Impacted |
|---|---|---|
| Leviton | AcquiSuite | Version A8810 |
| Leviton | Energy Monitoring Hub | Version A8812 |
Vulnerability Details
This vulnerability is critical in environments where these devices are exposed to shared networks or the internet, particularly in building automation, energy infrastructure, or industrial settings.
An attacker can craft a payload in the “TITLE” URL parameter of the Administrative interface of these devices with malicious HTML and JavaScript. This malicious code would run on a victim’s (server administrator) browser who clicks this link.
A proof of concept payload that generates an alert on the victim’s browser by means of the JavaScript reflected by the server :
https://vuln_target/setup/asmodule/Obvius_BACnet/exec.cgi?EXEC=network.sh&COMMAND=Scan+Network+Prompt&TITLE=BACnet+Discover+%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
As an example, consider a benign payload such as this (which would need to be URL encoded) :
BACnet Discover <img src='https://wiki.notveg.ninja/assets/images/profile.png' width="100"height="100"/>
This would lead to reflection of the parameter :
The injected JavaScript would be added to the page to trigger the payload :
Impact
An attacker can use this to execute malicious HTML and JavaScript on the DAQ server administrators browser to potentially steal administrative session tokens and gain control of the DAQ server.
Recommended Mitigations
As CISA recommends in (ICSA-25-198-01) users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities of their own and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
Disclosure Timeline
| Jan 25, 2025 | Case opened with CERT Coordination Center (CERT/CC). |
| Jan 29, 2025 | CISA ICS coordinator assigned. |
| Jul 17, 2025 | CISA ICS confirms no action from Leviton and publishes ICSA-25-198-01. |
| Jul 19, 2025 | Responsible public disclosure of details. |
Acknowledgements
A shout out to the Technical Editors and Writers at CISA Industrial Control Systems Vulnerability Management and Coordination for being prompt on their communications, and their assistance on disclosing the issue.