CVE 9.1 CRITICAL

CVE-2025-65128_CVE-2025-65128

February 12, 2026 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session.

AI Analysis

Missing authentication in web management API allowing unauthenticated modification of router and network configurations

Basic Information

ID CVE-2025-65128

Source mitre

Published Feb 11, 2026 at 00:00

Modified Feb 12, 2026 at 14:44

Affected Product

Vendor Shenzhen Zhibotong Electronics

Product ZBT WE2001

Version 23.09.27

Affected Versions n/a n/a n/a

CWE Classification

CWE-287

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Shenzhen Zhibotong Electronics

Product ZBT WE2001

Version 23.09.27

References

{
    "lastseen": "",
    "description": "A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with \"*_nocommit\" and supplying the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session.",
    "published": "2026-02-11T00:00:00.000Z",
    "modified": "2026-02-12T14:44:32.561Z",
    "type": "cve",
    "title": "CVE-2025-65128",
    "source": "mitre",
    "references": "https://www.zbtwifi.com/\nhttps://neutsec.io/advisories/cve-2025-65128/",
    "id": "CVE-2025-65128",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ZBT WE2001",
    "version": "23.09.27",
    "vendor": "Shenzhen Zhibotong Electronics",
    "ai_description": "Missing authentication in web management API allowing unauthenticated modification of router and network configurations",
    "ai_severity": "Critical",
    "ai_vendor": "Shenzhen Zhibotong Electronics",
    "ai_product": "ZBT WE2001",
    "ai_version": "23.09.27",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply