CVE-2025-65128 is a vulnerability in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 routers, identified by MITRE as CWE-287 (Improper Authentication). The flaw arises because the API lacks any authentication checks for certain operations whose names end with "*_nocommit". An attacker connected to the same local network can send crafted requests to these API endpoints, supplying parameters expected by the functions, to modify router configuration data. This includes changing the SSID broadcast by the router, altering Wi-Fi credentials, and resetting administrative passwords, all without needing to authenticate or establish a session. The vulnerability has a CVSS v3.1 base score of 8.1, reflecting high impact on confidentiality and integrity, with low attack complexity and no privileges or user interaction required. The attack vector is local network access, which limits remote exploitation but still poses significant risk in environments where local network access is not tightly controlled. No patches or mitigations have been officially released as of the publication date, and no known exploits have been observed in the wild. This vulnerability could be leveraged by attackers to gain persistent unauthorized access to network infrastructure, intercept or redirect traffic, and compromise connected devices.

The impact of CVE-2025-65128 is substantial for organizations using Shenzhen Zhibotong ZBT WE2001 routers. Successful exploitation allows attackers to fully control router configurations, including Wi-Fi credentials and administrative passwords, effectively granting them persistent unauthorized access to the network. This can lead to interception of sensitive data, network traffic manipulation, and further compromise of internal systems. The lack of authentication means any local network user or compromised device can exploit this vulnerability, increasing insider threat risks. Organizations with weak network segmentation or guest network isolation are particularly vulnerable. The compromise of router credentials can also facilitate lateral movement and persistence for advanced attackers. Although the attack requires local network access, many enterprise, SMB, and home environments have insufficient controls to prevent unauthorized local access. The absence of patches increases exposure duration, elevating risk until remediation is available.

To mitigate CVE-2025-65128, organizations should implement strict network segmentation to limit access to router management interfaces only to trusted devices and users. Disable or restrict access to the web management API from all but essential internal hosts. Employ network access control (NAC) solutions to prevent unauthorized devices from connecting to the local network. Monitor network traffic for unusual API calls or configuration changes. Change default router credentials and consider replacing affected devices with models from vendors with robust security track records if immediate patching is not possible. If possible, isolate IoT and network infrastructure devices on separate VLANs with limited access. Regularly audit router configurations and logs for unauthorized changes. Engage with Shenzhen Zhibotong Electronics for firmware updates or patches and apply them promptly once available. Consider deploying endpoint detection and response (EDR) tools to detect lateral movement attempts stemming from compromised routers.