CVE-2025-65212
Published: 06 January 2026
Summary
CVE-2025-65212 is a critical-severity Reliance on Cookies without Validation and Integrity Checking (CWE-565) vulnerability in Njhyst Hy511 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2025-65212, published on 2026-01-06, affects the NJHYST HY511 POE core software in versions before 2.1 and associated plugins before 0.1. The vulnerability arises from insufficient cookie verification, classified under CWE-565, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). This flaw enables an attacker to directly request and download the core configuration file without authenticating to the device management backend.
A remote attacker requires only network access to the device and can exploit this with low complexity and no privileges or user interaction. By downloading the configuration file, the attacker extracts the embedded username and self-decrypted MD5 password, enabling direct login to the backend and bypassing the front-end login page. This results in high-impact unauthorized access, potentially compromising confidentiality, integrity, and availability of the device.
Advisories and further details, including potential exploitation information, are provided in the following references: https://gist.github.com/a2148001284/bcdda75fc8718454f16a7b9259463719 and https://github.com/a2148001284/test1/blob/main/%E6%9C%AA%E6%8E%87%E6%9D%83%E8%AE%BF%E9%97%AE%E5%90%8E%E5%8F%B0%E6%BC%8F%E6%B4%9EEN.md.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1016
Vulnerability details
An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file…
more
without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insufficient cookie verification (CWE-565) directly enables unauthenticated remote download of the config file containing credentials (T1190: Exploit Public-Facing Application; T1552.001: Credentials In Files).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to prevent unauthenticated attackers from directly requesting and downloading the sensitive core configuration file.
Protects session authenticity through proper cookie verification to block bypass of the frontend login page for backend access.
Requires management and protection of authenticators to prevent exposure of usernames and self-decrypted MD5 passwords in accessible configuration files.