CVE-2025-65128

HIGH

Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 - Auth Bypass

Title source: llm

Description

A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session.

References (2)

[Various Sources] https://neutsec.io/advisories/cve-2025-65128/

[Various Sources] https://www.zbtwifi.com/

Scores

CVSS v3 8.1

EPSS 0.0002

EPSS Percentile 5.7%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Classification

CWE

CWE-287

Status draft

Timeline

Published Feb 11, 2026

Tracked Since Feb 18, 2026