CVE-2025-34467
Unknown Unknown - Not Provided
Denial-of-Service in ZwiiCMS Admin Endpoints via Improper Authorization

Publication date: 2025-12-31

Last updated on: 2026-02-02

Assigner: VulnCheck

Description
ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34467
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zwii zwii_cms *
zwiicms zwiicms to 13.7.00 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-34467 is a denial-of-service vulnerability in ZwiiCMS versions prior to 13.7.00. It occurs because the application improperly checks authorization and mismanages resource state on multiple administrative endpoints. When a low-privilege authenticated user requests an administrative page, the system returns a "404 Not Found" as expected but mistakenly acquires and associates a temporary lock on the targeted resource with the attacker's session before verifying authorization. This lock prevents other users, including administrators, from accessing that administrative functionality until the attacker leaves the page or the session ends. [3]

Impact Analysis

This vulnerability can impact you by causing a denial-of-service condition on administrative pages of ZwiiCMS. An authenticated low-privilege user can lock administrative resources improperly, blocking access for other users and administrators. This can disrupt management and maintenance activities on the website, potentially delaying critical administrative tasks and reducing availability of administrative functions. [3]

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ZwiiCMS to version 13.7.00 or later, where the issue has been fixed. Until then, restrict authenticated low-privilege user access to administrative endpoints to prevent exploitation. Additionally, monitor sessions for unusual locking behavior and consider terminating suspicious sessions to restore access to locked administrative resources. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34467. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart