What is the CVSS score of CVE-2025-65128?

CVE-2025-65128 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Industrial are affected by CVE-2025-65128?

Unauthenticated attackers on the local network can reconfigure ZBT WE2001 routers without credentials, potentially disrupting network operations, compromising traffic routing, or enabling lateral…

How to fix or mitigate CVE-2025-65128?

Within 24 hours: Inventory all ZBT WE2001 devices (model 23.09.27) and restrict network access to the management API to trusted administrative hosts only. Within 7 days: Implement network segmentation to isolate affected routers' management interfaces behind a firewall or VPN, and disable remote management access if not operationally required. Within 30 days: Contact Zhibotong for patch availability and firmware update timeline; evaluate replacement with alternative vendor equipment if patch timeline is unacceptable.

Industrial CVE-2025-65128

HIGH

Improper Authentication (CWE-287)

2026-02-11 cve@mitre.org

Industrial

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

CVE Published

Feb 11, 2026 - 18:16 nvd

HIGH 8.1

DescriptionNVD

A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session.

AnalysisAI

Technical ContextAI

Classified as CWE-287 (Improper Authentication). A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session.

Affected ProductsAI

Component: web management API.

RemediationAI

Monitor vendor advisories for a patch.

CVE-2025-65128 vulnerability details – vuln.today

Back

Industrial CVE-2025-65128

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code