CVE-2026-25070

Critical

Published: 07 March 2026

Published

07 March 2026

Modified

12 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0028 51.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers to execute arbitrary operating system commands. Attackers can inject malicious commands through the destIp parameter to…

achieve remote code execution with root privileges on the network switch.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by requiring validation and sanitization of the destIp parameter at the vulnerable /goform/PingTestSet endpoint.

SI-2 Flaw Remediation good match

prevent

Addresses the specific firmware flaw enabling remote code execution by mandating timely flaw remediation through patches or upgrades.

SI-4 System Monitoring partial match

detect

Facilitates detection of exploitation attempts by monitoring network traffic to the /goform/PingTestSet endpoint and anomalous system behaviors.

Security SummaryAI

CVE-2026-25070 is an OS command injection vulnerability (CWE-78) affecting the firmware of XikeStor SKS8310-8X Network Switches in versions 1.04.B07 and prior. The flaw resides in the /goform/PingTestSet endpoint, where the destIp parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands. This issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for high-impact remote exploitation.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By crafting a malicious request to the PingTestSet endpoint with injected commands in the destIp parameter, attackers achieve remote code execution with root privileges on the affected switch. This grants full control over the device, potentially allowing network disruption, data exfiltration, lateral movement, or persistence in compromised environments.

References point to an OpenWRT table of hardware entry for the XikeStor SKS8310-8X and an AliExpress product listing, but no vendor advisories, patches, or specific mitigation guidance are detailed in these sources. Security practitioners should isolate affected devices, monitor for anomalous traffic to the endpoint, and seek firmware updates from the vendor if available.

Details

CWE(s): CWE-78

Affected Products

seekswan

zikestor sks8310-8x firmware

≤ 1.04.b07

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated OS command injection via public-facing web endpoint (/goform/PingTestSet) enables remote exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004) with root privileges on the network switch.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://openwrt.org/toh/xikestor/sks8310-8x?s%5B%5D=xikestor&s%5B%5D=sks8310&s%5B%5D=8x
Product · disclosure@vulncheck.com
https://www.aliexpress.com/i/3256808697772710.html
Product · disclosure@vulncheck.com