CVE-2025-65128

Name of the Vulnerable Software and Affected Versions Shenzhen Zhibotong Electronics ZBT WE2001 version 23.09.27

Description A flaw exists in the web management API components that allows unauthenticated attackers on the local network to modify router and network configurations. Attackers can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication by invoking operations ending with * nocommit and providing the expected parameters for the invoked function.

Recommendations Apply updates to address the missing authentication mechanism in the web management API components. As a temporary workaround, restrict network access to the web management API to trusted users only.