CVE-2026-25070
Published: 07 March 2026
Summary
CVE-2026-25070 is a critical-severity OS Command Injection (CWE-78) vulnerability in Seekswan Zikestor Sks8310-8X Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation and sanitization of the destIp parameter at the vulnerable /goform/PingTestSet endpoint.
Addresses the specific firmware flaw enabling remote code execution by mandating timely flaw remediation through patches or upgrades.
Facilitates detection of exploitation attempts by monitoring network traffic to the /goform/PingTestSet endpoint and anomalous system behaviors.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated OS command injection via public-facing web endpoint (/goform/PingTestSet) enables remote exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004) with root privileges on the network switch.
NVD Description
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers to execute arbitrary operating system commands. Attackers can inject malicious commands through the destIp parameter to…
more
achieve remote code execution with root privileges on the network switch.
Deeper analysisAI
CVE-2026-25070 is an OS command injection vulnerability (CWE-78) affecting the firmware of XikeStor SKS8310-8X Network Switches in versions 1.04.B07 and prior. The flaw resides in the /goform/PingTestSet endpoint, where the destIp parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands. This issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for high-impact remote exploitation.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By crafting a malicious request to the PingTestSet endpoint with injected commands in the destIp parameter, attackers achieve remote code execution with root privileges on the affected switch. This grants full control over the device, potentially allowing network disruption, data exfiltration, lateral movement, or persistence in compromised environments.
References point to an OpenWRT table of hardware entry for the XikeStor SKS8310-8X and an AliExpress product listing, but no vendor advisories, patches, or specific mitigation guidance are detailed in these sources. Security practitioners should isolate affected devices, monitor for anomalous traffic to the endpoint, and seek firmware updates from the vendor if available.
Details
- CWE(s)