CVE-2025-64074 in WE2001
Summary
by MITRE • 02/12/2026
A path-traversal vulnerability in the logout functionality of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to delete arbitrary files on the host by supplying a crafted session cookie value.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/13/2026
The vulnerability identified as CVE-2025-64074 represents a critical path traversal flaw within the logout mechanism of Shenzhen Zhibotong Electronics ZBT WE2001 device firmware version 23.09.27. This issue stems from inadequate input validation and improper handling of session cookie values during the logout process, creating an exploitable condition that enables remote attackers to execute arbitrary file deletion operations on the affected device. The vulnerability specifically manifests when the system processes session identifiers that contain malicious path traversal sequences, allowing attackers to bypass normal file access controls and target files outside the intended directory structure.
The technical implementation of this vulnerability leverages the fundamental weakness in how the device handles session cookie values during authentication state transitions. When a user attempts to log out, the system processes the session identifier without proper sanitization or path validation, enabling attackers to inject sequences such as ../ or similar traversal patterns into the cookie value. This flaw directly maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal. The vulnerability occurs at the application level where user-supplied input is not properly validated before being used in file system operations, creating a direct pathway for unauthorized file system access and manipulation.
From an operational perspective, this vulnerability presents significant security implications for organizations relying on ZBT WE2001 devices, as it allows remote attackers to delete critical system files, configuration data, or even malware payloads that could compromise device functionality or enable further exploitation. The remote nature of the attack means that threat actors can exploit this vulnerability without physical access to the device, making it particularly dangerous in networked environments where these devices may be exposed to untrusted networks. The impact extends beyond simple file deletion, as attackers could potentially target system binaries, configuration files, or log data that could lead to complete device compromise or denial of service conditions. This vulnerability also aligns with ATT&CK technique T1059.007 for command and scripting interpreter and T1485 for data destruction, as it enables attackers to execute destructive operations on target systems.
The mitigation strategies for this vulnerability should focus on immediate firmware updates provided by the vendor, as well as implementing network-level controls to restrict access to device management interfaces. Organizations should deploy proper input validation mechanisms that sanitize all session cookie values before processing, implement strict path validation routines that prevent traversal sequences from being processed, and establish robust access controls that limit who can perform logout operations. Additionally, network segmentation and firewall rules should be implemented to restrict access to these devices from untrusted networks, while monitoring systems should be configured to detect unusual logout patterns or file access attempts that could indicate exploitation attempts. The remediation process must also include comprehensive security testing of all authentication and session management components to prevent similar vulnerabilities from existing in other parts of the system architecture, following security best practices outlined in standards such as NIST SP 800-53 and ISO/IEC 27001.