CVE-2025-65212CRITICAL 9.8EPSS p90.5%

CVE-2025-65212CVE-2025-65212

Description

An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS4.62% probability of exploitation · percentile 90.5% · 2026-06-19T12:03:05Z
Published2026-01-06
Last modified2026-01-29

Underlying weaknesses· 1

CWE-565

References

  1. https://gist.github.com/a2148001284/bcdda75fc8718454f16a7b9259463719
  2. https://github.com/a2148001284/test1/blob/main/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E5%90%8E%E5%8F%B0%E6%BC%8F%E6%B4%9EEN.md

1

TypeTargetConfidenceTier
WeaknessReliance on Cookies without Validation and Integrity Checkingcwe-5650%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-60772
CVE
CVE-2025-56752
CVE
CVE-2025-46412
CVE
CVE-2025-56113
CVE
CVE-2025-56099
CVE
CVE-2025-6763
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.