CVE-2025-65128

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N                                    

Vulnerability Description

A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session.

Vulnerability Details

Published Date

February 11, 2026

Last Modified

February 17, 2026

CWE ID

CWE-287

Source

NVD

External References

https://neutsec.io/advisories/cve-2025-65128/
https://www.zbtwifi.com/

CVE-2025-65128

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment