CVE-2025-41365
Description
Code injection vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed only with permissions higher than the view permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Code injection in ZIV IDF and ZLF devices allows authenticated attackers with elevated privileges to store malicious payloads executed in victim browsers.
Vulnerability
CVE-2025-41365 is a code injection vulnerability (CWE-94) affecting ZIV IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. The flaw allows an attacker to inject malicious code into the device's software, which later executes in a victim's browser when the stored payload is accessed [1].
Exploitation
Exploitation requires authentication to the device and execution of commands that demand permissions higher than the default view permission. This limits the attack to users with elevated roles, such as administrators [1].
Impact
An attacker who successfully exploits this vulnerability can store a malicious payload that runs in the browser of any user viewing the affected interface. This can lead to session hijacking, phishing, or other client-side attacks [1].
Mitigation
ZIV has released firmware version 1.1.0 to fix this vulnerability. Users are advised to update their devices to the latest firmware to mitigate the risk [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.