Software Engineering Institute

Overview

The Kiwire Captive Portal, provided by SynchroWeb, is an internet access gateway intended for providing guests internet access where many users will want to connect. Three vulnerabilities were discovered within the product, including SQL injection, open redirection, and cross site scripting (XSS), allowing an attacker multiple vectors to compromise the device. All three of the vulnerabilities have been addressed by the vendor. Customers using the Kiwire Captive Portal are recommended to update to the latest version of the product to remediate the vulnerabilities.

Description

The Kiwire Captive Portal is a guest wifi solution that provides users with internet access through a login system. The product is used in various different capacities across different enterprises, including hotels, office systems, and other companies. Three vulnerabilities have been discovered within the product that allow an attacker to compromise the Kiwire Captive Portal database, redirect users to a malicious website, and trigger JavaScript upon visiting the captive portal with the malicious payload appended in the URL.

The following is a list of the CVE assignments and their respective vulnerability details:

CVE-2025-11188 The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database. CVE-2025-11190 The Kiwire Captive Portal contains an open redirection issue via the login-url parameter, allowing an attacker to redirect users to an attacker-controlled website. CVE-2025-11189 The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for JavaScript execution.

Impact

The vulnerabilities allow an attacker to exfiltrate sensitive data from the Kiwire Captive Portal database (CVE-2025-11188), redirect a user attempting to login to the captive portal to a malicious website (CVE-2025-11190), and execute JavaScript on the device that is attempting to login to the captive portal (CVE-2025-11189). It should be noted that in regards to CVE-2025-11189 and CVE-2025-11190, the domain is automatically trusted on most devices, due to it being a local address that users must access prior to being granted internet access.

Solution

A security advisory is available on the Kiwire website: https://www.synchroweb.com/release-notes/kiwire/security SynchroWeb will be contacting individuals who use affected version to assist in their patching process.

Acknowledgements

Thanks to the reporters, Joshua Chan (josh.chan@lrqa.com) and Ari Apridana (ari.apridana@lrqa.com) of LRQA. This document was written by Christopher Cullen.

Vendor Information

References

• https://www.synchroweb.com/release-notes/kiwire/security