CVE-2025-65212

CriticalPublic PoC

Published: 06 January 2026

Published

06 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file…

without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent unauthenticated attackers from directly requesting and downloading the sensitive core configuration file.

SC-23 Session Authenticity good match

prevent

Protects session authenticity through proper cookie verification to block bypass of the frontend login page for backend access.

IA-5 Authenticator Management partial match

prevent

Requires management and protection of authenticators to prevent exposure of usernames and self-decrypted MD5 passwords in accessible configuration files.

Security SummaryAI

CVE-2025-65212, published on 2026-01-06, affects the NJHYST HY511 POE core software in versions before 2.1 and associated plugins before 0.1. The vulnerability arises from insufficient cookie verification, classified under CWE-565, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). This flaw enables an attacker to directly request and download the core configuration file without authenticating to the device management backend.

A remote attacker requires only network access to the device and can exploit this with low complexity and no privileges or user interaction. By downloading the configuration file, the attacker extracts the embedded username and self-decrypted MD5 password, enabling direct login to the backend and bypassing the front-end login page. This results in high-impact unauthorized access, potentially compromising confidentiality, integrity, and availability of the device.

Advisories and further details, including potential exploitation information, are provided in the following references: https://gist.github.com/a2148001284/bcdda75fc8718454f16a7b9259463719 and https://github.com/a2148001284/test1/blob/main/%E6%9C%AA%E6%8E%87%E6%9D%83%E8%AE%BF%E9%97%AE%E5%90%8E%E5%8F%B0%E6%BC%8F%E6%B4%9EEN.md.

Details

CWE(s): CWE-565

Affected Products

njhyst

hy511 firmware

≤ 2.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Insufficient cookie verification (CWE-565) directly enables unauthenticated remote download of the config file containing credentials (T1190: Exploit Public-Facing Application; T1552.001: Credentials In Files).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://gist.github.com/a2148001284/bcdda75fc8718454f16a7b9259463719
Third Party Advisory · cve@mitre.org
https://github.com/a2148001284/test1/blob/main/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E5%90%8E%E5%8F%B0%E6%BC%8F%E6%B4%9EEN.md
Exploit, Third Party Advisory · cve@mitre.org