CVE-2025-64075
📋 TL;DR
A path traversal vulnerability in the ZBT WE2001 router's check_token function allows remote attackers to bypass authentication by manipulating session cookies. This enables unauthorized administrative actions on affected devices. Users of ZBT WE2001 routers with firmware version 23.09.27 are impacted.
💻 Affected Systems
- Shenzhen Zhibotong Electronics ZBT WE2001
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover, configuration modification, network traffic interception, and potential lateral movement to connected devices.
Likely Case
Unauthorized access to router admin panel, configuration changes, and potential network disruption.
If Mitigated
Limited impact if device is behind firewall with restricted WAN access and strong network segmentation.
🎯 Exploit Status
Exploitation requires crafting a specific session cookie value but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.zbtwifi.com
Restart Required: Yes
Instructions:
1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Upload via admin interface. 4. Reboot device.
🔧 Temporary Workarounds
Restrict WAN Access
allBlock external access to router admin interface using firewall rules.
Change Default Credentials
allChange admin passwords to strong, unique credentials.
🧯 If You Can't Patch
- Isolate affected devices in separate VLAN with strict access controls.
- Implement network monitoring for unusual admin interface access patterns.
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router admin interface under System Status or About page.Check Version:
Login to router admin panel and navigate to system information page.Verify Fix Applied:
Verify firmware version is updated beyond 23.09.27 and test authentication bypass attempts fail.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful admin actions
- Unusual session cookie values in HTTP requests
Network Indicators:
- HTTP requests with crafted cookie values to admin endpoints
- Unauthorized access to /cgi-bin/luci/admin paths
SIEM Query:
http.method=POST AND http.uri="/cgi-bin/luci" AND http.cookie CONTAINS "sysauth" AND NOT user.role="admin"