CRITICAL🇵🇱 Wersja polska

CVE-2025-64075

CVSS 10.0v3.1pub. 2026-02-11upd. 2026-04-15

A path traversal vulnerability in the check_token function of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to bypass authentication and perform administrative actions by supplying a crafted session cookie value.

🤖 AI Analysis
How it works

An attacker sends a crafted session cookie value to the check_token function, which does not properly filter path traversal sequences. As a result, the authentication verification mechanism is completely bypassed. Exploitation requires no authentication, knowledge of an account, or any user interaction on the device.

Impact

An attacker gains the ability to perform arbitrary administrative actions on the device, leading to complete loss of confidentiality, integrity, and availability of the system — including potential configuration changes, network takeover, or use of the device as an entry point to the infrastructure.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with the references. Until updates are deployed, it is recommended to restrict access to the device management interface only to trusted network segments and monitor traffic for suspicious requests with non-standard cookie values.

Who is affected

Shenzhen Zhibotong Electronics ZBT WE2001 in firmware version 23.09.27

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path TraversalAuth Bypass
CWE
References