CVE-2025-65127
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to access administrative information-retrieval functions in ZBT WE2001 devices. Attackers can obtain device configuration data including plaintext credentials by invoking 'get_*' operations without authentication. All users of affected ZBT WE2001 devices are impacted.
💻 Affected Systems
- Shenzhen Zhibotong Electronics ZBT WE2001
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative access to the device, extract all configuration data including credentials, and potentially pivot to other network systems using stolen credentials.
Likely Case
Attackers harvest device credentials and configuration data, enabling further attacks on the device or other systems using the same credentials.
If Mitigated
Limited exposure if device is behind strict network controls, but credentials could still be compromised if accessed.
🎯 Exploit Status
Exploitation requires only HTTP requests to specific API endpoints without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.zbtwifi.com/
Restart Required: Yes
Instructions:
1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Upload via device web interface. 4. Apply update and restart device.
🔧 Temporary Workarounds
Network Isolation
allRestrict access to device management interface using firewall rules
API Endpoint Blocking
allBlock access to vulnerable API endpoints at network perimeter
🧯 If You Can't Patch
- Isolate device on separate VLAN with strict access controls
- Implement network monitoring for suspicious API requests to get_* endpoints
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to device IP/api/get_config or similar get_* endpoints without authenticationCheck Version:
Check device web interface or SSH to device and check firmware versionVerify Fix Applied:
Attempt same request after update - should return authentication error📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to get_* API endpoints
- Multiple failed authentication attempts followed by successful get_* requests
Network Indicators:
- HTTP requests to /api/get_* endpoints without authentication headers
- Unusual data extraction patterns from device
SIEM Query:
source_ip=* AND dest_ip=device_ip AND http_uri CONTAINS '/api/get_' AND NOT auth_token EXISTS