CVE-2026-25072

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25072
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable session identifier vulnerability in the /goform/SetLogin endpoint that allows remote attackers to hijack authenticated sessions. Attackers can predict session identifiers using insufficiently random cookie values and exploit exposed session parameters in URLs to gain unauthorized access to authenticated user sessions.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://openwrt.org/toh/xikestor/sks8310-8x?s%5B%5D=xikestor&s%5B%5D=sks8310&s%5B%5D=8x Product
https://www.aliexpress.com/i/3256808697772710.html Product
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:seekswan:zikestor_sks8310-8x_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:seekswan:zikestor_sks8310-8x:-:*:*:*:*:*:*:*
History

12 Mar 2026, 14:56

Type Values Removed Values Added
CPE cpe:2.3:h:seekswan:zikestor_sks8310-8x:-:*:*:*:*:*:*:*
cpe:2.3:o:seekswan:zikestor_sks8310-8x_firmware:*:*:*:*:*:*:*:*
References () https://openwrt.org/toh/xikestor/sks8310-8x?s%5B%5D=xikestor&s%5B%5D=sks8310&s%5B%5D=8x - () https://openwrt.org/toh/xikestor/sks8310-8x?s%5B%5D=xikestor&s%5B%5D=sks8310&s%5B%5D=8x - Product
References () https://www.aliexpress.com/i/3256808697772710.html - () https://www.aliexpress.com/i/3256808697772710.html - Product
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
First Time Seekswan
Seekswan zikestor Sks8310-8x Firmware
Seekswan zikestor Sks8310-8x
Summary
  • (es) Las versiones de firmware 1.04.B07 y anteriores del switch de red XikeStor SKS8310-8X contienen una vulnerabilidad de identificador de sesión predecible en el endpoint /goform/SetLogin que permite a atacantes remotos secuestrar sesiones autenticadas. Los atacantes pueden predecir identificadores de sesión utilizando valores de cookie insuficientemente aleatorios y explotar parámetros de sesión expuestos en las URL para obtener acceso no autorizado a sesiones de usuario autenticadas.

07 Mar 2026, 01:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-07 01:15

Updated : 2026-03-12 14:56

NVD link : CVE-2026-25072

Mitre link : CVE-2026-25072

CVE.ORG link : CVE-2026-25072

JSON object : View

Products Affected

seekswan

  • zikestor_sks8310-8x_firmware
  • zikestor_sks8310-8x
CWE
CWE-330

Use of Insufficiently Random Values