Cyber Resilience

CVE-2025-66315

Medium

Published: 09 January 2026

Published
09 January 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0022 12.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-66315 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Zte Mf258K Pro Firmware. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-66315 is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. The flaw arises from improper directory permission settings, enabling an attacker to execute write permissions in a specific directory. It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) and maps to CWE-269 and CWE-863.

A low-privileged user (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows write access to a specific directory in an unchanged scope (S:U), resulting in low impact to availability (A:L) with no effects on confidentiality or integrity.

Mitigation guidance is available in the ZTE security bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/4891644183717871638.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

There is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. Due to improper directory permission settings, an attacker can execute write permissions in a specific directory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
Why these techniques?

Improper directory permissions (CWE-269/863) directly constitute a file system permissions weakness allowing low-privileged network write access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26705Same vendor: Zte
CVE-2026-40436Same vendor: Zte
CVE-2026-29127Shared CWE-269, CWE-863
CVE-2025-26702Same vendor: Zte
CVE-2026-34472Same vendor: Zte
CVE-2026-40291Shared CWE-269, CWE-863
CVE-2025-29924Shared CWE-269, CWE-863
CVE-2026-27899Shared CWE-269, CWE-863
CVE-2026-27802Shared CWE-269, CWE-863
CVE-2025-0834Shared CWE-269

Affected Assets

zte
mf258k pro firmware
zte_mf258kpro_play_v1.0.0b03, zte_mf258pro_std_v1.0.0b04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces directory access permissions so that low-privileged users cannot obtain unauthorized write access to the version-server directory.

prevent

Requires assignment of only the minimum privileges needed, preventing the excessive write permissions that enable this vulnerability.

prevent

Mandates correct configuration of directory permissions on the ZTE device, directly eliminating the misconfiguration described in the CVE.

References