CVE-2026-25072
Predictable Session ID Vulnerability in XikeStor SKS8310-8X Switch
Publication date: 2026-03-07
Last updated on: 2026-03-12
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| seekswan | zikestor_sks8310-8x_firmware | to 1.04.b07 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows remote attackers to hijack authenticated sessions by predicting session identifiers. As a result, attackers can gain unauthorized access to user accounts and potentially control or manipulate the network switch without proper authorization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
The vulnerability exists in XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and earlier. It involves a predictable session identifier in the /goform/SetLogin endpoint. Because the session identifiers are generated with insufficient randomness and session parameters are exposed in URLs, remote attackers can predict these identifiers and hijack authenticated user sessions.