Cyber Resilience

CVE-2026-25072

High

Published: 07 March 2026

Published
07 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0050 38.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25072 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Seekswan Zikestor Sks8310-8X Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-25072 is a predictable session identifier vulnerability (CWE-330) affecting the firmware of XikeStor SKS8310-8X Network Switch devices, specifically versions 1.04.B07 and prior. The issue resides in the /goform/SetLogin endpoint, where session identifiers are generated using insufficiently random cookie values. This allows attackers to predict session IDs and exploit exposed session parameters in URLs, enabling the hijacking of authenticated user sessions. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network. By predicting session identifiers from the weak randomness in cookies and leveraging URL-exposed parameters, attackers can impersonate legitimate users and gain unauthorized access to authenticated sessions on the affected switch. Successful exploitation grants full control over the hijacked session, potentially allowing configuration changes, data access, or other administrative actions depending on the victim's permissions.

The provided references include an OpenWRT table of hardware entry for the XikeStor SKS8310-8X and an AliExpress product listing, but no specific advisories, patches, or mitigation guidance are detailed in the available information. Security practitioners should monitor for firmware updates from the vendor and consider network segmentation or session management best practices until patches are confirmed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable session identifier vulnerability in the /goform/SetLogin endpoint that allows remote attackers to hijack authenticated sessions. Attackers can predict session identifiers using insufficiently random cookie values and exploit exposed…

more

session parameters in URLs to gain unauthorized access to authenticated user sessions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote, unauthenticated attackers to predict session identifiers and hijack authenticated web sessions on the network switch's management interface, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25070Same product: Seekswan Zikestor Sks8310-8X
CVE-2026-25071Same product: Seekswan Zikestor Sks8310-8X
CVE-2026-33710Shared CWE-330
CVE-2026-27637Shared CWE-330
CVE-2025-68704Shared CWE-330
CVE-2026-27515Shared CWE-330
CVE-2026-40496Shared CWE-330
CVE-2026-27755Shared CWE-330
CVE-2025-64097Shared CWE-330
CVE-2024-48928Shared CWE-330

Affected Assets

seekswan
zikestor sks8310-8x firmware
≤ 1.04.b07

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific flaw in firmware versions 1.04.B07 and prior, eliminating the predictable session identifier vulnerability.

prevent

Directly protects against session hijacking by ensuring the authenticity of communications sessions, countering predictable session identifiers.

prevent

Mandates generation of authenticators, such as session cookies, with sufficient strength and randomness to prevent prediction and hijacking.

References