CVE-2025-11272 MEDIUM

CVE-2025-11272: SeriaWei ZKEACMS POST Request UrlRedirectionController.cs Delete improper authorization

Vendor Seriawei
Product ZKEACMS
Weakness CWE-285
Published October 4, 2025
Last update October 6, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability has been found in SeriaWei ZKEACMS up to 4.3. This affects the function Delete of the file src/ZKEACMS.Redirection/Controllers/UrlRedirectionController.cs of the component POST Request Handler. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

October 4, 2025 CVE published
October 6, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-0584 VK Blocks <= 1.57.0.5 - Authenticated(Contributor+) Settings Update CVE-2024-21987 Improper Authorization Vulnerability in SnapCenter CVE-2025-29922 kcp allows unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual Workspace CVE-2025-10676 fuyang_lipengjun platform queryAll BrandController improper authorization CVE-2023-44410 D-Link D-View showUsers Improper Authorization Privilege Escalation Vulnerability