CVE-2025-65128HIGH 8.1EPSS p17.4%

CVE-2025-65128CVE-2025-65128

Description

A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.26% probability of exploitation · percentile 17.4% · 2026-06-19T12:03:05Z
Published2026-02-11
Last modified2026-04-15

Underlying weaknesses· 1

CWE-287

References

  1. https://neutsec.io/advisories/cve-2025-65128/
  2. https://www.zbtwifi.com/

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-64075
CVE
CVE-2026-9211
CVE
CVE-2026-9210
CVE
CVE-2026-30702
CVE
CVE-2025-68707
CVE
CVE-2025-52689
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.