CVE-2025-14126
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14126
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tozed zlt_m30s_pro 3.09.06
tozed zlt_m30s 1.47
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by attempting to access the web interface of the affected TOZED ZLT M30S and ZLT M30S PRO devices on the local network using the hard-coded credentials: username "guest" and password "123456". Since the web interface allows administrative access with these credentials, a simple test is to try logging in via a web browser or using command-line tools like curl or wget to verify access. For example, you can use the following command to test login via curl: curl -u guest:123456 http://<device-ip>/admin Replace <device-ip> with the IP address of the device. Successful authentication indicates the presence of the vulnerability. [2]

Executive Summary

This vulnerability exists in the Web Interface component of TOZED ZLT M30S and ZLT M30S PRO devices (versions 1.47/3.09.06). It involves manipulation that leads to hard-coded credentials being exposed or used. The attack must be initiated from within the local network. The vulnerability has been publicly disclosed and the vendor did not respond to the disclosure.

Impact Analysis

The vulnerability can lead to unauthorized access to the affected devices via hard-coded credentials, potentially allowing an attacker on the local network to fully compromise the device's confidentiality, integrity, and availability. This could result in loss of control over the device and exposure of sensitive information.

Mitigation Strategies

There are no known patches or countermeasures available from the vendor, as they did not respond to the disclosure. Immediate mitigation steps include replacing the affected TOZED ZLT M30S and ZLT M30S PRO devices with alternative products that are not vulnerable. Additionally, restrict access to the local network where these devices reside to trusted users only, and monitor for unauthorized access attempts. Since the exploit requires local network access, network segmentation and access controls can help reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14126. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart