Cyber Resilience

CVE-2026-25070

CriticalRCE

Published: 07 March 2026

Published
07 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0300 85.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25070 is a critical-severity OS Command Injection (CWE-78) vulnerability in Seekswan Zikestor Sks8310-8X Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25070 is an OS command injection vulnerability (CWE-78) affecting the firmware of XikeStor SKS8310-8X Network Switches in versions 1.04.B07 and prior. The flaw resides in the /goform/PingTestSet endpoint, where the destIp parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands. This issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for high-impact remote exploitation.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By crafting a malicious request to the PingTestSet endpoint with injected commands in the destIp parameter, attackers achieve remote code execution with root privileges on the affected switch. This grants full control over the device, potentially allowing network disruption, data exfiltration, lateral movement, or persistence in compromised environments.

References point to an OpenWRT table of hardware entry for the XikeStor SKS8310-8X and an AliExpress product listing, but no vendor advisories, patches, or specific mitigation guidance are detailed in these sources. Security practitioners should isolate affected devices, monitor for anomalous traffic to the endpoint, and seek firmware updates from the vendor if available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers to execute arbitrary operating system commands. Attackers can inject malicious commands through the destIp parameter to…

more

achieve remote code execution with root privileges on the network switch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated OS command injection via public-facing web endpoint (/goform/PingTestSet) enables remote exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004) with root privileges on the network switch.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25072Same product: Seekswan Zikestor Sks8310-8X
CVE-2026-25071Same product: Seekswan Zikestor Sks8310-8X
CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78

Affected Assets

seekswan
zikestor sks8310-8x firmware
≤ 1.04.b07

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation and sanitization of the destIp parameter at the vulnerable /goform/PingTestSet endpoint.

prevent

Addresses the specific firmware flaw enabling remote code execution by mandating timely flaw remediation through patches or upgrades.

detect

Facilitates detection of exploitation attempts by monitoring network traffic to the /goform/PingTestSet endpoint and anomalous system behaviors.

References