CVE-2025-34467 MEDIUM

CVE-2025-34467: ZwiiCMS < 13.7.00 Lock Persistence Authenticated DoS Against Administrative Pages

Vendor Fredtempez
Product ZwiiCMS
Weakness CWE-667
Published December 31, 2025
Last update May 14, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.

Key dates

02Disclosure timeline

December 31, 2025 CVE published
May 14, 2026 Record updated