CVE-2026-25071 - Vulnerability Details

- XikeStor SKS8310-8X switch_config.src Missing Authentication

Description

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a missing authentication vulnerability in the /switch_config.src endpoint that allows unauthenticated remote attackers to download device configuration files. Attackers can access this endpoint without credentials to retrieve sensitive configuration information including VLAN settings and IP addressing details.

Published: 2026-03-07

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing authentication flaw in the /switch_config.src endpoint permits an attacker to retrieve the entire device configuration without requiring any credentials. The exposed information contains VLAN assignments and IP addressing data that can enable further network reconnaissance and targeted attacks. This vulnerability is a direct authentication bypass (CWE‑306) and allows disclosure of confidential configuration information, potentially leading to privilege escalation or lateral movement in the network.

Affected Systems

Anhui Seeker Electronic Technology Co., LTD. XikeStor SKS8310‑8X network switches running firmware version 1.04.B07 or older are affected. The flaw resides in the embedded switch firmware and applies to devices of the SKS8310‑8X model line.

Risk and Exploitability

The CVSS score of 8.7 denotes high severity, yet the EPSS score is below 1 %, indicating a low predicted exploitation likelihood at the present time. The vulnerability is not listed in the CISA KEV catalog, and no public exploits are documented. The attack vector is inferred to be remote, as network traffic can be directed at the switch’s /switch_config.src endpoint without authentication, assuming the device is reachable on the internal or external network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Anhui Seeker Electronic Technology Co., LTD.

XikeStor SKS8310-8X

unknown

Version	Status	Constraints
`0`	affected	≤ 1.04.B07

Configuration 1 [-]

AND

cpe:2.3:o:seekswan:zikestor_sks8310-8x_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:seekswan:zikestor_sks8310-8x:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Anhui Seeker Electronic Technology Co., Ltd.

Xikestor Sks8310-8x

100%

Version	Status	Scheme	Platform
`[0,1.04.B07]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check Anhui Seeker Electronic for a firmware update that addresses the authentication missing issue and update all SKS8310‑8X switches to a released version newer than 1.04.B07.
Configure network access controls to restrict or block remote access to the switch’s management interfaces, especially to the /switch_config.src endpoint, preventing unauthenticated reads from external networks.
Implement monitoring of HTTP GET requests to /switch_config.src on the switch’s logs and alert on unauthenticated or suspicious access patterns to detect potential exploitation.

Generated by OpenCVE AI on April 16, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00084.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://openwrt.org/toh/xikestor/sks8310-8x?s%5B%5D=xikestor&s%5B%5D=sks8310&s%5B%5D=8x
https://www.aliexpress.com/i/3256808697772710.html

History

Thu, 12 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Seekswan Seekswan zikestor Sks8310-8x Seekswan zikestor Sks8310-8x Firmware
CPEs		cpe:2.3:h:seekswan:zikestor_sks8310-8x:-:::::::* cpe:2.3:o:seekswan:zikestor_sks8310-8x_firmware::::::::
Vendors & Products		Seekswan Seekswan zikestor Sks8310-8x Seekswan zikestor Sks8310-8x Firmware
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Tue, 10 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Anhui Seeker Electronic Technology Co., Ltd. Anhui Seeker Electronic Technology Co., Ltd. xikestor Sks8310-8x
Vendors & Products		Anhui Seeker Electronic Technology Co., Ltd. Anhui Seeker Electronic Technology Co., Ltd. xikestor Sks8310-8x

Sat, 07 Mar 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a missing authentication vulnerability in the /switch_config.src endpoint that allows unauthenticated remote attackers to download device configuration files. Attackers can access this endpoint without credentials to retrieve sensitive configuration information including VLAN settings and IP addressing details.
Title		XikeStor SKS8310-8X switch_config.src Missing Authentication
Weaknesses		CWE-306
References		https://openwrt.org/toh/xikestor/sks8310-8x?s%5B%5D=xikestor&s%5B%5D=sks8310&s%5B%5D=8x https://www.aliexpress.com/i/3256808697772710.html
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Anhui Seeker Electronic Technology Co., Ltd. Xikestor Sks8310-8x

Seekswan Zikestor Sks8310-8x Zikestor Sks8310-8x Firmware

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-03-07T00:20:04.719Z

Updated: 2026-03-10T17:58:44.847Z

Reserved: 2026-01-28T21:47:35.120Z

Link: CVE-2026-25071

Vulnrichment

Updated: 2026-03-10T17:44:40.935Z

NVD

Status : Analyzed

Published: 2026-03-07T01:15:58.083

Modified: 2026-03-12T15:00:02.047

Link: CVE-2026-25071

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object