CVE-2025-65128

High

Published: 11 February 2026

Published

11 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0005 15.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65128 is a high-severity Improper Authentication (CWE-287) vulnerability in Neutsec (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly identifies and authorizes only approved actions without identification or authentication, directly preventing unauthenticated API calls that modify router configurations.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to system resources, ensuring authentication is required before allowing configuration changes via the management API.

IA-9 Service Identification and Authentication good match

prevent

Requires mechanisms for authenticating access to services and privileged functions like the web management API, blocking unauthenticated configuration modifications.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Missing authentication in web management API directly enables unauthenticated exploitation of a public-facing router interface for config modification and takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying…

the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session.

Deeper analysisAI

CVE-2025-65128 is a missing authentication mechanism (CWE-287) in the web management API components of the Shenzhen Zhibotong Electronics ZBT WE2001 router running firmware version 23.09.27. Published on 2026-02-11, this vulnerability enables unauthenticated attackers on the local network to modify router and network configurations without requiring an existing session. It carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity.

Unauthenticated attackers with network adjacency can exploit the flaw by invoking API operations whose names end with "*_nocommit" and supplying the expected parameters. This grants the ability to alter sensitive configuration data, including SSID, Wi-Fi credentials, and administrative passwords, potentially allowing full takeover of the device's network settings and access controls.

For mitigation details, security practitioners should refer to the NeutSec advisory at https://neutsec.io/advisories/cve-2025-65128/ and the vendor website at https://www.zbtwifi.com/.