External risk intelligence

Fanvil X210 Reflected XSS Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2025-64054

The vulnerability affects an administrative web interface on an IP phone. While these devices are typically deployed within internal networks, administrative web portals are occasionally exposed to the internet or reachable via VPNs/proxies in some deployment scenarios, making internet reachability possible but not the default or intended design for normal use.

Cross-site Scripting

Fanvil X210 Firmware

2.12.20

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Fanvil IP phones that could allow an attacker to execute commands or disrupt service. This issue affects the administrative web interface and requires user interaction to be exploited. The main concern is confirming whether these devices are exposed in a way that makes them reachable by attackers.

  • Unauthenticated command execution risk on IP phones.
  • Potential for disruption of communication services.
  • Confirm relevance and exposure to internal/external threats.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted POST request to a specific endpoint on an affected Fanvil device. This request, when processed by the device's web configuration interface, could lead to a denial of service or allow for the execution of arbitrary commands.

  • Entry condition: Network access to the device's web interface.
  • Trigger point: Sending a crafted POST request to a specific endpoint.
  • Resulting risk: Denial of service or arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

A reflected cross-site scripting vulnerability in Fanvil x210 devices could allow an attacker to disrupt service or execute arbitrary commands through a specially crafted POST request when a user interacts with the web configuration interface.

  • Device configuration and service.
  • Via crafted POST requests to the web interface.
  • Denial of service or command execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This reflected cross-site scripting vulnerability impacts Fanvil devices, likely managed by IT infrastructure or endpoint management teams. The first step is to identify all deployed Fanvil x210 devices, confirm their network reachability and business criticality, and then determine the accountable owner for remediation planning.

  • Own the issue: IT infrastructure/endpoint management.
  • Verify first: Device reachability and criticality.
  • Action: Plan targeted remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Fanvil X210 and what is it used for?

The Fanvil X210 is a type of IP phone frequently used in business environments for voice communication. It includes an administrative web interface that allows IT staff to configure settings, manage device features, and oversee network connectivity. Because this interface controls the phone's operation, it is a critical component for both user productivity and system management within an office network.

What does CVE-2025-64054 mean by reflected XSS?

Reflected Cross-Site Scripting (XSS), identified as CWE-79, is a security weakness where an application includes untrusted data in a web page without proper validation. In the context of CVE-2025-64054, it means an attacker can inject malicious code into a specific web request. When a user interacts with the web interface, the phone unintentionally executes that code, potentially leading to unauthorized command execution or disrupting the device's availability.

How is this vulnerability triggered?

This flaw is triggered when a specially crafted POST request is sent to the device's web configuration endpoint. It requires user interaction to succeed; simply having network access is not enough. The vulnerability is not triggered by standard, legitimate configuration changes made by authorized administrators, but rather by malicious inputs specifically designed to exploit the way the device processes web requests.

Is my device at risk if it is behind a firewall?

Halo Surface Signal notes that while these IP phones are usually kept on internal networks, some administrative portals are accidentally exposed to the internet or reachable through VPNs. If your device interface is restricted to internal-only access, it is less likely to be reachable by external attackers. However, you should confirm the network visibility of all administrative web interfaces to ensure they are not inadvertently accessible.

What should I do if I manage Fanvil X210 devices?

Your first step is to create an inventory of all deployed Fanvil X210 devices to understand how many are in use. Check their network configuration to determine which devices are reachable from untrusted networks. Once you have identified the impacted units, determine their business criticality and coordinate with your IT or infrastructure team to prioritize remediation and secure these management interfaces.

References