Overview
The Kiwire Captive Portal, provided by SynchroWeb, is an internet access gateway intended for providing guests internet access where many users will want to connect. Three vulnerabilities were discovered within the product, including SQL injection, open redirection, and cross site scripting (XSS), allowing an attacker multiple vectors to compromise the device. All three of the vulnerabilities have been addressed by the vendor. Customers using the Kiwire Captive Portal are recommended to update to the latest version of the product to remediate the vulnerabilities.
Description
The Kiwire Captive Portal is a guest wifi solution that provides users with internet access through a login system. The product is used in various different capacities across different enterprises, including hotels, office systems, and other companies. Three vulnerabilities have been discovered within the product that allow an attacker to compromise the Kiwire Captive Portal database, redirect users to a malicious website, and trigger JavaScript upon visiting the captive portal with the malicious payload appended in the URL.
The following is a list of the CVE assignments and their respective vulnerability details:
CVE-2025-11188
The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database.
CVE-2025-11190
The Kiwire Captive Portal contains an open redirection issue via the login-url parameter, allowing an attacker to redirect users to an attacker-controlled website.
CVE-2025-11189
The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for JavaScript execution.
Impact
The vulnerabilities allow an attacker to exfiltrate sensitive data from the Kiwire Captive Portal database (CVE-2025-11188), redirect a user attempting to login to the captive portal to a malicious website (CVE-2025-11190), and execute JavaScript on the device that is attempting to login to the captive portal (CVE-2025-11189). It should be noted that in regards to CVE-2025-11189 and CVE-2025-11190, the domain is automatically trusted on most devices, due to it being a local address that users must access prior to being granted internet access.
Solution
A security advisory is available on the Kiwire website: https://www.synchroweb.com/release-notes/kiwire/security
SynchroWeb will be contacting individuals who use affected version to assist in their patching process.
Acknowledgements
Thanks to the reporters, Joshua Chan (josh.chan@lrqa.com) and Ari Apridana (ari.apridana@lrqa.com) of LRQA. This document was written by Christopher Cullen.
Recent Posts
-
VU#887923: Kiwire Captive Portal contains 3 web vulnerabilities
-
VU#294418: Vigor routers running DrayOS are vulnerable to RCE via EasyVPN and LAN web administration interface
-
VU#534320: NPM supply chain compromise exposes challenges to securing the ecosystem from credential theft and self-propagation
-
VU#780141: Cross-site scripting vulnerability in Lectora course navigation
-
VU#949137: Langchaingo supports jinja2 and gonja for syntax parsing, allowing for arbitrary file read