A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Shenzhen Zhibotong Electronics |
|
No data.
No data.
References
History
Wed, 11 Feb 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Shenzhen Zhibotong Electronics
Shenzhen Zhibotong Electronics zbt We2001 |
|
| Vendors & Products |
Shenzhen Zhibotong Electronics
Shenzhen Zhibotong Electronics zbt We2001 |
Wed, 11 Feb 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session. | |
| References |
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-02-11T17:03:45.173Z
Reserved: 2025-11-18T00:00:00.000Z
Link: CVE-2025-65128
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-02-11T18:16:04.353
Modified: 2026-02-11T18:16:04.353
Link: CVE-2025-65128
Redhat
No data.