CVE-2026-25072 HIGH

CVE-2026-25072: XikeStor SKS8310-8X Predictable Session Identifiers

Vendor Anhui Seeker Electronic Technology Co., Ltd.
Product XikeStor SKS8310-8X
Weakness CWE-330 · Insufficient randomness
Published March 7, 2026
Last update May 11, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable session identifier vulnerability in the /goform/SetLogin endpoint that allows remote attackers to hijack authenticated sessions. Attackers can predict session identifiers using insufficiently random cookie values and exploit exposed session parameters in URLs to gain unauthorized access to authenticated user sessions.

Key dates

02Disclosure timeline

March 7, 2026 CVE published
May 11, 2026 Record updated