CVE-2025-64075 Overview
CVE-2025-64075 is a path traversal vulnerability affecting the check_token function in Shenzhen Zhibotong Electronics ZBT WE2001 firmware version 23.09.27. Remote attackers exploit the flaw by supplying a crafted session cookie value, bypassing authentication and performing administrative actions on the device. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). No authentication or user interaction is required for exploitation, and the attack can be performed across a network boundary. Details were published in the NeutSec Advisory CVE-2025-64075.
Critical Impact
Unauthenticated remote attackers can fully compromise the router by forging a session cookie, granting administrative control over the device and the network it serves.
Affected Products
- Shenzhen Zhibotong Electronics ZBT WE2001
- Firmware version 23.09.27
- See the ZBT WiFi Overview for product information
Discovery Timeline
- 2026-02-11 - CVE-2025-64075 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-64075
Vulnerability Analysis
The vulnerability resides in the check_token routine used by the ZBT WE2001 web management interface to validate authenticated sessions. The function reads a session identifier supplied through a client-side cookie and uses it to locate the corresponding session file on the device filesystem. Because the cookie value is incorporated into a file path without normalization or sanitization, attackers can inject directory traversal sequences such as ../ to redirect the file lookup. By steering the path to a predictable file that exists outside the session directory, the routine succeeds and the request is treated as authenticated. The attacker then issues administrative requests, including configuration changes, credential resets, and command execution paths exposed by the management interface.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory ([CWE-22]). User-controlled input from the session cookie is concatenated into a filesystem path without canonicalization, allowing traversal characters to escape the intended session storage location. The token validation logic conflates file existence with authentication success, which converts a path traversal primitive into a complete authentication bypass.
Attack Vector
The attack is delivered remotely over the network against the device's HTTP management interface. An attacker sends a crafted HTTP request containing a manipulated session cookie value that includes path traversal sequences. The check_token function resolves the manipulated path to an attacker-chosen location, returns a positive validation result, and the request proceeds with administrative privileges. Refer to the NeutSec Advisory CVE-2025-64075 for proof-of-concept request structure and reproduction steps.
Detection Methods for CVE-2025-64075
Indicators of Compromise
- HTTP requests to the device management interface containing ../, ..%2f, or URL-encoded traversal sequences inside Cookie headers.
- Administrative configuration changes, firmware updates, or credential modifications originating from external or unexpected source IP addresses.
- New or modified DNS, DHCP, or routing entries on the device that were not authorized by an administrator.
Detection Strategies
- Inspect web server and proxy logs for cookie values containing path separator characters or encoded traversal patterns targeting the router's management endpoints.
- Alert on successful authenticated administrative requests that were not preceded by a corresponding successful login event in the device authentication log.
- Apply network IDS/IPS signatures that flag traversal patterns in HTTP cookie headers directed at embedded device management ports.
Monitoring Recommendations
- Forward router access and authentication logs to a centralized SIEM and baseline normal administrative session sources.
- Monitor for unexpected outbound connections from the router, which can indicate post-compromise command-and-control activity.
- Review device configuration snapshots on a regular cadence and alert on unauthorized differences.
How to Mitigate CVE-2025-64075
Immediate Actions Required
- Restrict access to the ZBT WE2001 web management interface so it is reachable only from trusted management networks or a dedicated VLAN.
- Disable WAN-side administrative access on the device until a patched firmware version is available.
- Rotate any administrative credentials that may have been exposed on devices facing untrusted networks.
- Audit recent device configuration for unauthorized changes, including DNS settings, port forwards, and added accounts.
Patch Information
At the time of publication, no vendor-supplied fixed firmware version is listed in the NVD record or referenced advisory. Consult the NeutSec Advisory CVE-2025-64075 and the vendor site for the latest firmware update status before deploying replacements or workarounds.
Workarounds
- Place the device behind an upstream firewall that blocks inbound HTTP/HTTPS connections to the management interface from untrusted networks.
- Enforce source-IP allow-listing on the management interface using upstream network controls.
- If administrative access from outside the LAN is not required, disable remote management entirely in the device configuration.
- Where feasible, replace exposed devices with hardware that has current vendor support until a fixed firmware release is published.
# Example upstream ACL restricting management access to a trusted subnet
iptables -A FORWARD -p tcp -d <router-ip> --dport 80 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d <router-ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router-ip> --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d <router-ip> --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

