CVE-2026-25072

CVE-2026-25072 is a predictable session identifier vulnerability (CWE-330) affecting the firmware of XikeStor SKS8310-8X Network Switch devices, specifically versions 1.04.B07 and prior. The issue resides in the /goform/SetLogin endpoint, where session identifiers are generated using insufficiently random cookie values. This allows attackers to predict session IDs and exploit exposed session parameters in URLs, enabling the hijacking of authenticated user sessions. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network. By predicting session identifiers from the weak randomness in cookies and leveraging URL-exposed parameters, attackers can impersonate legitimate users and gain unauthorized access to authenticated sessions on the affected switch. Successful exploitation grants full control over the hijacked session, potentially allowing configuration changes, data access, or other administrative actions depending on the victim's permissions.

The provided references include an OpenWRT table of hardware entry for the XikeStor SKS8310-8X and an AliExpress product listing, but no specific advisories, patches, or mitigation guidance are detailed in the available information. Security practitioners should monitor for firmware updates from the vendor and consider network segmentation or session management best practices until patches are confirmed.