2 minute read

CVE-2025-6185

CISA ICS Advisory

ICSA-25-198-01

Summary

Leviton (formerly Obvius) AcquiSuite and Energy Monitoring Hub are vulnerable to reflected Cross-Site Scripting (XSS), allowing an attacker to craft a malicious payload in URL parameters, which would execute in a client browser when accessed by a user, steal session tokens, and control the service.

Versions Impacted

The products affected are :

Vendor Product Version Impacted
Leviton AcquiSuite Version A8810
Leviton Energy Monitoring Hub  Version A8812

Vulnerability Details

This vulnerability is critical in environments where these devices are exposed to shared networks or the internet, particularly in building automation, energy infrastructure, or industrial settings.

An attacker can craft a payload in the “TITLE” URL parameter of the Administrative interface of these devices with malicious HTML and JavaScript. This malicious code would run on a victim’s (server administrator) browser who clicks this link.

A proof of concept payload that generates an alert on the victim’s browser by means of the JavaScript reflected by the server :

https://vuln_target/setup/asmodule/Obvius_BACnet/exec.cgi?EXEC=network.sh&COMMAND=Scan+Network+Prompt&TITLE=BACnet+Discover+%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E

As an example, consider a benign payload such as this (which would need to be URL encoded) :

BACnet Discover <img src='https://wiki.notveg.ninja/assets/images/profile.png' width="100"height="100"/>

This would lead to reflection of the parameter :

The injected JavaScript would be added to the page to trigger the payload :

Impact

An attacker can use this to execute malicious HTML and JavaScript on the DAQ server administrators browser to potentially steal administrative session tokens and gain control of the DAQ server.

As CISA recommends in (ICSA-25-198-01) users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities of their own and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

Disclosure Timeline

Jan 25, 2025 Case opened with CERT Coordination Center (CERT/CC).
Jan 29, 2025 CISA ICS coordinator assigned.
Jul 17, 2025 CISA ICS confirms no action from Leviton and publishes ICSA-25-198-01.
Jul 19, 2025 Responsible public disclosure of details.

Acknowledgements

A shout out to the Technical Editors and Writers at CISA Industrial Control Systems Vulnerability Management and Coordination for being prompt on their communications, and their assistance on disclosing the issue.

Tags:

Categories:

Updated: