CVE-2025-71056

High

Published: 23 February 2026

Published

23 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0004 12.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71056 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-10 (Concurrent Session Control).

Threat & Defense at a Glance

What attackers do: exploitation maps to Valid Accounts (T1078) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to protect communications session authenticity, directly mitigating IP spoofing-based session hijacking by ensuring secure session binding beyond IP addresses.

AC-12 Session Termination partial match

prevent

AC-12 enforces session termination after defined conditions, reducing the time window for attackers to exploit hijacked sessions via IP spoofing.

AC-10 Concurrent Session Control partial match

preventdetect

AC-10 limits concurrent sessions per user, restricting hijacking attempts and enabling detection of anomalous multiple sessions from spoofed IPs.

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1563 Remote Service Session Hijacking Lateral Movement

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment.

attack.mitre.org →

Why these techniques?

Improper session management enables IP spoofing to hijack authenticated sessions (T1078 Valid Accounts via T1563 Remote Service Session Hijacking); device exposes a network-accessible management interface facilitating initial access (T1190 Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper session management in GCOM EPON 1GE ONU version C00R371V00B01 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user.

Deeper analysisAI

CVE-2025-71056 is an improper session management vulnerability in GCOM EPON 1GE ONU version C00R371V00B01. Published on 2026-02-23, it enables session hijacking attacks by allowing attackers to spoof the IP address of an authenticated user. The issue maps to CWE-290 and carries a CVSS v3.1 base score of 8.1 (High), with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating network accessibility, low attack complexity, and low required privileges while impacting confidentiality and integrity highly.

An attacker with low privileges, such as another authenticated user on the network, can exploit this vulnerability remotely without user interaction. By spoofing the IP address of a legitimate authenticated user, the attacker can hijack the victim's session, potentially gaining unauthorized access to administrative functions or sensitive data accessible through the hijacked session.

For mitigation details, security practitioners should refer to the vendor site at http://www.szgcom.com, the disclosure on GitHub at https://github.com/theShinigami/CVE-Disclosures/blob/main/CVE-2025-71056/README.md, and related product information at https://johnbai.en.made-in-china.com/product/JXnENzmlJFpv/China-H18gn-Series-Gpon-Ont-ONU.html.