CVE-2026-25070 CRITICAL

CVE-2026-25070: XikeStor SKS8310-8X PingTestSet Command Injection

Vendor Anhui Seeker Electronic Technology Co., Ltd.

Product XikeStor SKS8310-8X

Weakness CWE-78

Published March 7, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers to execute arbitrary operating system commands. Attackers can inject malicious commands through the destIp parameter to achieve remote code execution with root privileges on the network switch.

Key dates

02Disclosure timeline

March 7, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25070

Related vulnerabilities

Identifiers

CVE CVE-2026-25070

CWE CWE-78

CVSS 9.3 / CRITICAL

Affected versions