CVE-2025-65127
Unauthorized Access via Session Validation Bypass in ZBT WE2001 Web API
Publication date: 2026-02-11
Last updated on: 2026-02-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shenzhen_zhibotong_electronics | zbt_we2001 | 23.09.27 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability exists in the web API component of the Shenzhen Zhibotong Electronics ZBT WE2001 device, version 23.09.27. It is caused by a lack of session validation, which means that remote attackers can access administrative information-retrieval functions without needing to authenticate or have an active session.'}, {'type': 'paragraph', 'content': 'By invoking "get_*" operations, attackers can retrieve sensitive device configuration data, including plaintext credentials, which are normally intended only for authenticated users.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information such as device configuration data and plaintext credentials. An attacker exploiting this flaw can gain administrative-level information without authentication, potentially compromising the security and integrity of the affected device.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know