Cyber Resilience

CVE-2025-65212

CriticalPublic PoC

Published: 06 January 2026

Published
06 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0462 90.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-65212 is a critical-severity Reliance on Cookies without Validation and Integrity Checking (CWE-565) vulnerability in Njhyst Hy511 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2025-65212, published on 2026-01-06, affects the NJHYST HY511 POE core software in versions before 2.1 and associated plugins before 0.1. The vulnerability arises from insufficient cookie verification, classified under CWE-565, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). This flaw enables an attacker to directly request and download the core configuration file without authenticating to the device management backend.

A remote attacker requires only network access to the device and can exploit this with low complexity and no privileges or user interaction. By downloading the configuration file, the attacker extracts the embedded username and self-decrypted MD5 password, enabling direct login to the backend and bypassing the front-end login page. This results in high-impact unauthorized access, potentially compromising confidentiality, integrity, and availability of the device.

Advisories and further details, including potential exploitation information, are provided in the following references: https://gist.github.com/a2148001284/bcdda75fc8718454f16a7b9259463719 and https://github.com/a2148001284/test1/blob/main/%E6%9C%AA%E6%8E%87%E6%9D%83%E8%AE%BF%E9%97%AE%E5%90%8E%E5%8F%B0%E6%BC%8F%E6%B4%9EEN.md.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file…

more

without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Insufficient cookie verification (CWE-565) directly enables unauthenticated remote download of the config file containing credentials (T1190: Exploit Public-Facing Application; T1552.001: Credentials In Files).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2014-125112Shared CWE-565
CVE-2025-64447Shared CWE-565
CVE-2025-14440Shared CWE-565
CVE-2022-50926Shared CWE-565
CVE-2025-2395Shared CWE-565
CVE-2026-5130Shared CWE-565
CVE-2026-0257Shared CWE-565
CVE-2026-39324Shared CWE-565
CVE-2025-59247Shared CWE-565

Affected Assets

njhyst
hy511 firmware
≤ 2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent unauthenticated attackers from directly requesting and downloading the sensitive core configuration file.

prevent

Protects session authenticity through proper cookie verification to block bypass of the frontend login page for backend access.

prevent

Requires management and protection of authenticators to prevent exposure of usernames and self-decrypted MD5 passwords in accessible configuration files.

References