CVE-2026-25070

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25070
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers to execute arbitrary operating system commands. Attackers can inject malicious commands through the destIp parameter to achieve remote code execution with root privileges on the network switch.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://openwrt.org/toh/xikestor/sks8310-8x?s%5B%5D=xikestor&s%5B%5D=sks8310&s%5B%5D=8x Product
https://www.aliexpress.com/i/3256808697772710.html Product
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:seekswan:zikestor_sks8310-8x_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:seekswan:zikestor_sks8310-8x:-:*:*:*:*:*:*:*
History

12 Mar 2026, 15:11

Type Values Removed Values Added
CPE cpe:2.3:h:seekswan:zikestor_sks8310-8x:-:*:*:*:*:*:*:*
cpe:2.3:o:seekswan:zikestor_sks8310-8x_firmware:*:*:*:*:*:*:*:*
References () https://openwrt.org/toh/xikestor/sks8310-8x?s%5B%5D=xikestor&s%5B%5D=sks8310&s%5B%5D=8x - () https://openwrt.org/toh/xikestor/sks8310-8x?s%5B%5D=xikestor&s%5B%5D=sks8310&s%5B%5D=8x - Product
References () https://www.aliexpress.com/i/3256808697772710.html - () https://www.aliexpress.com/i/3256808697772710.html - Product
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
First Time Seekswan
Seekswan zikestor Sks8310-8x Firmware
Seekswan zikestor Sks8310-8x
Summary
  • (es) Las versiones de firmware 1.04.B07 y anteriores del switch de red XikeStor SKS8310-8X contienen una vulnerabilidad de inyección de comandos del sistema operativo en el endpoint /goform/PingTestSet que permite a atacantes remotos no autenticados ejecutar comandos arbitrarios del sistema operativo. Los atacantes pueden inyectar comandos maliciosos a través del parámetro destIp para lograr la ejecución remota de código con privilegios de root en el switch de red.

07 Mar 2026, 01:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-07 01:15

Updated : 2026-03-12 15:11

NVD link : CVE-2026-25070

Mitre link : CVE-2026-25070

CVE.ORG link : CVE-2026-25070

JSON object : View

Products Affected

seekswan

  • zikestor_sks8310-8x_firmware
  • zikestor_sks8310-8x
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')