CVE-2025-65212
Published: 06 January 2026
Summary
CVE-2025-65212 is a critical-severity Reliance on Cookies without Validation and Integrity Checking (CWE-565) vulnerability in Njhyst Hy511 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent unauthenticated attackers from directly requesting and downloading the sensitive core configuration file.
Protects session authenticity through proper cookie verification to block bypass of the frontend login page for backend access.
Requires management and protection of authenticators to prevent exposure of usernames and self-decrypted MD5 passwords in accessible configuration files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insufficient cookie verification (CWE-565) directly enables unauthenticated remote download of the config file containing credentials (T1190: Exploit Public-Facing Application; T1552.001: Credentials In Files).
NVD Description
An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file…
more
without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page.
Deeper analysisAI
CVE-2025-65212, published on 2026-01-06, affects the NJHYST HY511 POE core software in versions before 2.1 and associated plugins before 0.1. The vulnerability arises from insufficient cookie verification, classified under CWE-565, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). This flaw enables an attacker to directly request and download the core configuration file without authenticating to the device management backend.
A remote attacker requires only network access to the device and can exploit this with low complexity and no privileges or user interaction. By downloading the configuration file, the attacker extracts the embedded username and self-decrypted MD5 password, enabling direct login to the backend and bypassing the front-end login page. This results in high-impact unauthorized access, potentially compromising confidentiality, integrity, and availability of the device.
Advisories and further details, including potential exploitation information, are provided in the following references: https://gist.github.com/a2148001284/bcdda75fc8718454f16a7b9259463719 and https://github.com/a2148001284/test1/blob/main/%E6%9C%AA%E6%8E%87%E6%9D%83%E8%AE%BF%E9%97%AE%E5%90%8E%E5%8F%B0%E6%BC%8F%E6%B4%9EEN.md.
Details
- CWE(s)