CVE-2025-64074

Root

Cause

The vulnerability resides in the logout operation of the webapi shell script on the ZBT WE2001 router (firmware 23.09.27). The script directly concatenates the user-supplied access_token parameter into an rm command without any sanitization. Specifically, the code reads FORM_access_token and executes rm /tmp/webapi_token/session/${FORM_access_token}, allowing an attacker to inject directory-traversal sequences such as ../ to escape the intended session directory [2].

Attack

Requirements

Exploitation requires knowledge of the router's IP address (default often 192.168.1.1) and that the /tmp/webapi_token/session/ directory exists — which is automatically created when at least one valid session is active on the device. The attacker can send a crafted HTTP GET or POST request directly to the vulnerable cgi-bin/webapi endpoint with the op=logout parameter and a malicious access_token value containing path traversal sequences. No authentication is needed because the logout operation processes the token before verifying the session [2].

Impact

A remote, unauthenticated attacker can delete arbitrary files on the host system by navigating the file system via ../ sequences. This includes critical system files (e.g., configuration files, system binaries, boot configurations). Deleting files such as /etc/hosts or firewall rules can disrupt network functionality, while removal of startup scripts or binaries can render the device inoperable, potentially requiring a factory reset [2].

Mitigation

As of the publication date, Shenzhen Zhibotong Electronics has not released a firmware patch for this vulnerability. The vendor's general product page [1] does not mention any security update. Users should consider applying access control restrictions on the router's web interface (e.g., limit LAN access to trusted devices) until an official fix is available. No workaround that fully eliminates the risk without code changes has been documented.