Kiwire Captive Portal vulnerabilities prompt update recommendation
Overview
The Kiwire Captive Portal, provided by SynchroWeb, is an internet access gateway intended for providing guests internet access where many users will want to connect. Three vulnerabilities were discovered within the product, including Structured Query Language (SQL) injection, open redirection, and cross site scripting (Cross-Site Scripting (XSS)), allowing an attacker multiple vectors to compromise the device. All three of the vulnerabilities have been addressed by the vendor. Customers using the Kiwire Captive Portal are recommended to update to the latest version of the product to remediate the vulnerabilities.
Description
The Kiwire Captive Portal is a guest wifi solution that provides users with internet access through a login system. The product is used in various different capacities across different enterprises, including hotels, office systems, and other companies. Three vulnerabilities have been discovered within the product that allow an attacker to compromise the Kiwire Captive Portal database, redirect users to a malicious website, and trigger JavaScript upon visiting the captive portal with the malicious payload appended in the Uniform Resource Locator (URL).
The following is a list of the Common Vulnerabilities and Exposures (CVE) assignments and their respective vulnerability details:
CVE-2025-11188 The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database. CVE-2025-11190 The Kiwire Captive Portal contains an open redirection issue via the login-url parameter, allowing an attacker to redirect users to an attacker-controlled website. CVE-2025-11189 The Kiwire Captive Portal contains a reflected Cross-Site Scripting (XSS) vulnerability within the login-url parameter, allowing for JavaScript execution.
Impact
The vulnerabilities allow an attacker to exfiltrate sensitive data from the Kiwire Captive Portal database (CVE-2025-11188), redirect a user attempting to login to the captive portal to a malicious website (CVE-2025-11190), and execute JavaScript on the device that is attempting to login to the captive portal (CVE-2025-11189). It should be noted that in regards to CVE-2025-11189 and CVE-2025-11190, the domain is automatically trusted on most devices, due to it being a local address that users must access prior to being granted internet access.
Solution
A security advisory is available on the Kiwire website: https://www.synchroweb.com/release-notes/kiwire/security SynchroWeb will be contacting individuals who use affected version to assist in their patching process.
Acknowledgements
Thanks to the reporters, Joshua Chan ([email protected]) and Ari Apridana ([email protected]) of LRQA. This document was written by Christopher Cullen.
Vendor Information
One or more vendors are listed for this advisory. Please reference the full report for more information.
References
Other Information
| CVE Intrusion Detection System (IDS): | CVE-2025-11188 CVE-2025-11189 CVE-2025-11190 |
| Date Public: | 2025-10-10 |
| Date First Published: | 2025-10-10 |
| Date Last Updated: | 2025-10-10 11:02 UTC |
| Document Revision: | 1 |
- About vulnerability notes
- Contact us about this vulnerability
- Provide a vendor statement