Description
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers to execute arbitrary operating system commands. Attackers can inject malicious commands through the destIp parameter to achieve remote code execution with root privileges on the network switch.
Published: 2026-03-07
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an OS command injection in the /goform/PingTestSet endpoint of the XikeStor SKS8310-8X network switch firmware. By supplying a crafted value to the destIp parameter, an unauthenticated attacker can inject and execute arbitrary operating system commands with root privileges. This falls under CWE-78, allowing attackers to compromise the device’s confidentiality, integrity, and availability.

Affected Systems

Vendor Anhui Seeker Electronic Technology Co., LTD. product XikeStor SKS8310-8X. Firmware versions 1.04.B07 and any earlier release are affected. Devices running these firmware images are susceptible to remote exploitation without authorization.

Risk and Exploitability

The CVSS base score of 9.3 denotes a critical impact, while the EPSS score of less than 1% indicates a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to target the switch via the unprotected /goform/PingTestSet endpoint over the network, requiring no authentication and enabling remote code execution with root privileges.

Generated by OpenCVE AI on April 17, 2026 at 12:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the firmware to the latest available version to remove the vulnerable code.
  • If a firmware upgrade cannot be performed immediately, block external access to the /goform/PingTestSet endpoint with a firewall rule or device configuration that restricts that URI to trusted IPs only.
  • Disable remote management or enforce strong authentication on management interfaces to prevent unauthorized use of the endpoint.

Generated by OpenCVE AI on April 17, 2026 at 12:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Seekswan
Seekswan zikestor Sks8310-8x
Seekswan zikestor Sks8310-8x Firmware
CPEs cpe:2.3:h:seekswan:zikestor_sks8310-8x:-:*:*:*:*:*:*:*
cpe:2.3:o:seekswan:zikestor_sks8310-8x_firmware:*:*:*:*:*:*:*:*
Vendors & Products Seekswan
Seekswan zikestor Sks8310-8x
Seekswan zikestor Sks8310-8x Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Anhui Seeker Electronic Technology Co., Ltd.
Anhui Seeker Electronic Technology Co., Ltd. xikestor Sks8310-8x
Vendors & Products Anhui Seeker Electronic Technology Co., Ltd.
Anhui Seeker Electronic Technology Co., Ltd. xikestor Sks8310-8x

Sat, 07 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers to execute arbitrary operating system commands. Attackers can inject malicious commands through the destIp parameter to achieve remote code execution with root privileges on the network switch.
Title XikeStor SKS8310-8X PingTestSet Command Injection
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anhui Seeker Electronic Technology Co., Ltd. Xikestor Sks8310-8x
Seekswan Zikestor Sks8310-8x Zikestor Sks8310-8x Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-10T17:58:52.495Z

Reserved: 2026-01-28T21:47:35.120Z

Link: CVE-2026-25070

cve-icon Vulnrichment

Updated: 2026-03-10T17:45:06.650Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T01:15:57.427

Modified: 2026-03-12T15:11:20.980

Link: CVE-2026-25070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses