1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Leviton
- Equipment: AcquiSuite, Energy Monitoring Hub
- Vulnerability: Cross-site Scripting
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to craft a malicious payload in URL parameters that would execute in a client browser when accessed by a user, steal session tokens, and control the service.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Leviton AcquiSuite and Leviton Energy Monitoring Hub are affected:
- AcquiSuite: Version A8810
- Energy Monitoring Hub: Version A8812
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
The affected products are susceptible to a cross-site scripting (XSS) vulnerability, allowing an attacker to craft a malicious payload in URL parameters, which would execute in a client browser when accessed by a user, steal session tokens, and control the service.
CVE-2025-6185 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-6185. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N).