CVE-2025-34467
MEDIUMZwiiCMS < 13.7.00 - Authenticated Denial of Service via Administrative Page Lock Persistence
Title source: llmDescription
ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.
References (3)
Core 3
Core References
Product product
https://github.com/fredtempez/ZwiiCMS
Release Notes release-notes
patch
https://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/zwiicms-lock-persistence-authenticated-dos-against-administrative-pages
Scores
CVSS v3
4.3
EPSS
0.0019
EPSS Percentile
8.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-667
CWE-863
Status
published
Products (2)
fredtempez/ZwiiCMS
< 13.7.00
zwiicms/zwiicms
< 13.7.00
Published
Dec 31, 2025
Tracked Since
Feb 18, 2026