CVE-2026-25072CRITICAL 9.8EPSS p38.5%

CVE-2026-25072CVE-2026-25072

Description

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable session identifier vulnerability in the /goform/SetLogin endpoint that allows remote attackers to hijack authenticated sessions. Attackers can predict session identifiers using insufficiently random cookie values and exploit exposed session parameters in URLs to gain unauthorized access to authenticated user sessions.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.50% probability of exploitation · percentile 38.5% · 2026-06-18T12:00:27Z
Published2026-03-07
Last modified2026-03-12

Underlying weaknesses· 1

CWE-330

References

  1. https://openwrt.org/toh/xikestor/sks8310-8x?s%5B%5D=xikestor&s%5B%5D=sks8310&s%5B%5D=8x
  2. https://www.aliexpress.com/i/3256808697772710.html

1

TypeTargetConfidenceTier
WeaknessUse of Insufficiently Random Valuescwe-3300%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25070
CVE
CVE-2026-27515
CVE
CVE-2025-71056
CVE
CVE-2025-64075
CVE
CVE-2025-63206
CVE
CVE-2025-52689
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.