CVE-2025-64074
📋 TL;DR
A path-traversal vulnerability in the logout functionality of Shenzhen Zhibotong Electronics ZBT WE2001 routers allows remote attackers to delete arbitrary files on the host by manipulating session cookie values. This affects users running version 23.09.27 of the firmware who have the device exposed to untrusted networks.
💻 Affected Systems
- Shenzhen Zhibotong Electronics ZBT WE2001
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to device bricking or persistent denial of service.
Likely Case
Targeted deletion of configuration files or logs, causing service disruption and potential data loss.
If Mitigated
Limited impact if device is behind proper network segmentation and access controls.
🎯 Exploit Status
Exploitation requires crafting a specific session cookie value but does not require authentication to the device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor for updated firmware
Vendor Advisory: https://www.zbtwifi.com
Restart Required: No
Instructions:
1. Log into router admin interface. 2. Navigate to firmware update section. 3. Download latest firmware from vendor site. 4. Upload and apply firmware update. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Network Segmentation
allPlace affected devices behind firewalls to restrict access to trusted networks only.
Input Validation
allImplement web application firewall rules to block path traversal patterns in HTTP requests.
🧯 If You Can't Patch
- Isolate device from untrusted networks using VLANs or physical segmentation.
- Monitor for suspicious logout attempts and file deletion events in system logs.
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under System Information.Check Version:
Login to router web interface and navigate to System > Firmware InformationVerify Fix Applied:
Confirm firmware version has been updated beyond 23.09.27 and test logout functionality with malformed inputs.📡 Detection & Monitoring
Log Indicators:
- Unusual logout requests with malformed session cookies
- File deletion events in system logs from web process
Network Indicators:
- HTTP requests to logout endpoint with crafted cookie values containing path traversal sequences
SIEM Query:
source="router_logs" AND (event="logout" AND cookie="*../*") OR (event="file_delete" AND process="web_server")