CVE-2025-65127
Awaiting Analysis Awaiting Analysis - Queue

Unauthorized Access via Session Validation Bypass in ZBT WE2001 Web API

Vulnerability report for CVE-2025-65127, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-11

Last updated on: 2026-02-17

Assigner: MITRE

Description

A lack of session validation in the web API component of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote unauthenticated attackers to access administrative information-retrieval functions intended for authenticated users. By invoking "get_*" operations, attackers can obtain device configuration data, including plaintext credentials, without authentication or an existing session.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-11
Last Modified
2026-02-17
Generated
2026-07-06
AI Q&A
2026-02-11
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
shenzhen_zhibotong_electronics zbt_we2001 23.09.27

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability exists in the web API component of the Shenzhen Zhibotong Electronics ZBT WE2001 device, version 23.09.27. It is caused by a lack of session validation, which means that remote attackers can access administrative information-retrieval functions without needing to authenticate or have an active session.'}, {'type': 'paragraph', 'content': 'By invoking "get_*" operations, attackers can retrieve sensitive device configuration data, including plaintext credentials, which are normally intended only for authenticated users.'}] [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information such as device configuration data and plaintext credentials. An attacker exploiting this flaw can gain administrative-level information without authentication, potentially compromising the security and integrity of the affected device.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65127. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart