ZBT WE2001 unauth path traversal (CVE-2025-64075)

Patch now - CVE-2025-64075 is a critical authentication bypass in ZBT WE2001 router firmware 23.09.27 that grants unauthenticated attackers full administrative control via a session cookie path traversal flaw. Update firmware immediately to prevent remote compromise.

Security Advisory: Critical Authentication Bypass in ZBT WE2001 Router

Overview

A critical security flaw has been discovered in the firmware of the Shenzhen Zhibotong Electronics ZBT WE2001 router (version 23.09.27). The vulnerability allows an unauthenticated attacker to completely bypass the device’s login system by sending a specially crafted request. This flaw is present in the function that validates user session cookies.

Vulnerability Details

In simple terms, the router’s login check contains a path traversal weakness. This is akin to an attacker using a secret shortcut to bypass a locked front door. The function that checks if a user’s session cookie is valid (check_token) does not properly sanitize input. By manipulating the session cookie value in a specific way (e.g., using sequences like ../), an attacker can trick the router into believing they are already logged in with full administrative privileges.

Impact

The impact of this vulnerability is severe (CVSS Score: 10.0/CRITICAL). A remote attacker with no prior access or credentials can:

• Gain full administrative control of the router.
• Change all router settings, including DNS and network configuration.
• Intercept, monitor, or redirect all internet traffic passing through the device.
• Potentially install malicious firmware or use the router as a foothold for attacks on the internal network.
• Render the device inoperable.

Any ZBT WE2001 router running the affected firmware version (23.09.27) and exposed to the internet or a local network is at immediate risk.

Remediation and Mitigation

1. Primary Action: Update Firmware Immediately check for and install the latest firmware update from the vendor. Contact Shenzhen Zhibotong Electronics support to confirm the availability of a patched version. This is the only definitive solution.

2. Immediate Mitigations (If No Patch is Available):

• Isolate the Device: If possible, take the affected router offline until a patch can be applied.
• Restrict Access: Ensure the router’s management interface (typically port 80/HTTP and 443/HTTPS) is not accessible from the public internet. Use firewall rules to restrict access to the admin interface to only trusted, necessary internal IP addresses.
• Monitor for Compromise: Review router logs for any unauthorized configuration changes or suspicious login attempts. Reset the router to factory defaults after applying a patch to remove any potential backdoors installed by an attacker.

3. General Best Practice: Always change default credentials and use strong, unique passwords for the router’s admin account. However, note that this specific vulnerability bypasses password checks entirely, making the firmware update the critical step.

Disclaimer: This information is provided for educational and defensive purposes. Users are responsible for ensuring the security of their own systems and should act promptly on vendor advisories.