CVE-2025-12266

Name of the Vulnerable Software and Affected Versions Zytec Dalian Zhuoyun Technology Central Authentication Service versions prior to 20251010

Description A code injection issue exists in the Central Authentication Service. The issue is located in the empty function of the /index.php/auth/widget file. Manipulation of the get.layer, get.widget, and get.action arguments can lead to code injection. The exploit is publicly available and the vendor was notified but did not respond.

Recommendations Versions prior to 20251010 should be updated. As a temporary workaround, restrict access to the /index.php/auth/widget file. Avoid using the get.layer, get.widget, and get.action parameters in the affected API endpoint until the issue is resolved.