CVE-2025-65127

MEDIUM

Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 - Info Disclosure

Title source: llm

Description

A lack of session validation in the web API component of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote unauthenticated attackers to access administrative information-retrieval functions intended for authenticated users. By invoking "get_*" operations, attackers can obtain device configuration data, including plaintext credentials, without authentication or an existing session.

References (2)

[Various Sources] https://neutsec.io/advisories/cve-2025-65127

[Various Sources] https://www.zbtwifi.com/

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 9.9%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-287

Status published

Published Feb 11, 2026

Tracked Since Feb 18, 2026