Cyber Resilience

CVE-2025-65128

High

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0026 17.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-65128 is a high-severity Improper Authentication (CWE-287) vulnerability in Neutsec (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-65128 is a missing authentication mechanism (CWE-287) in the web management API components of the Shenzhen Zhibotong Electronics ZBT WE2001 router running firmware version 23.09.27. Published on 2026-02-11, this vulnerability enables unauthenticated attackers on the local network to modify router and network configurations without requiring an existing session. It carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity.

Unauthenticated attackers with network adjacency can exploit the flaw by invoking API operations whose names end with "*_nocommit" and supplying the expected parameters. This grants the ability to alter sensitive configuration data, including SSID, Wi-Fi credentials, and administrative passwords, potentially allowing full takeover of the device's network settings and access controls.

For mitigation details, security practitioners should refer to the NeutSec advisory at https://neutsec.io/advisories/cve-2025-65128/ and the vendor website at https://www.zbtwifi.com/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying…

more

the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication in web management API directly enables unauthenticated exploitation of a public-facing router interface for config modification and takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287
CVE-2024-57049Shared CWE-287
CVE-2025-12374Shared CWE-287
CVE-2025-15484Shared CWE-287

Affected Assets

Neutsec
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Explicitly identifies and authorizes only approved actions without identification or authentication, directly preventing unauthenticated API calls that modify router configurations.

prevent

Enforces approved authorizations for logical access to system resources, ensuring authentication is required before allowing configuration changes via the management API.

prevent

Requires mechanisms for authenticating access to services and privileged functions like the web management API, blocking unauthenticated configuration modifications.

References