CVE-2025-66315
Published: 09 January 2026
Summary
CVE-2025-66315 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Zte Mf258K Pro Firmware. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique File System Permissions Weakness (T1044); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
The small, testable reference monitor reduces the likelihood of incorrect authorization implementations.
Certification evaluates whether authorization decisions are correctly implemented and enforced.
Periodic review and documentation of connection needs reduces incorrect authorization.
Restricting who can perform changes helps ensure privileges are managed properly rather than assigned broadly.
Manages privileges by authorizing only approved personnel and supervising those lacking required authorizations for maintenance.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper directory permissions (CWE-269/863) directly constitute a file system permissions weakness allowing low-privileged network write access.
NVD Description
There is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. Due to improper directory permission settings, an attacker can execute write permissions in a specific directory.
Deeper analysisAI
CVE-2025-66315 is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. The flaw arises from improper directory permission settings, enabling an attacker to execute write permissions in a specific directory. It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) and maps to CWE-269 and CWE-863.
A low-privileged user (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows write access to a specific directory in an unchanged scope (S:U), resulting in low impact to availability (A:L) with no effects on confidentiality or integrity.
Mitigation guidance is available in the ZTE security bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/4891644183717871638.
Details
- CWE(s)