Description
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable session identifier vulnerability in the /goform/SetLogin endpoint that allows remote attackers to hijack authenticated sessions. Attackers can predict session identifiers using insufficiently random cookie values and exploit exposed session parameters in URLs to gain unauthorized access to authenticated user sessions.
Published: 2026-03-07
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Session Hijacking
Action: Patch Firmware
AI Analysis

Impact

The firmware of the XikeStor SKS8310‑8X handles session identifiers in the /goform/SetLogin endpoint with insufficient randomness. An attacker who can access the device over the network can compute or guess the session cookie and thus hijack an authenticated session, gaining the same privileges as an authorized user such as full configuration control.

Affected Systems

This weakness exists in Anhui Seeker Electronic Technology’s XikeStor SKS8310‑8X network switch. Firmware versions 1.04.B07 and earlier are affected. Devices running these releases should be considered vulnerable.

Risk and Exploitability

The vulnerability scores a CVSS score of 8.6, reflecting high severity. The EPSS score is below 1 %, indicating a very low probability of exploitation at the time of assessment. Attackers would require network access to the switch and the ability to reach the /goform/SetLogin endpoint; no local privilege escalation is required. While exploitation is possible remotely and could grant full administrative rights, the low EPSS suggests that known exploitation is not common yet; however, because the impact is the loss of control over the device, the risk remains non‑negligible.

Generated by OpenCVE AI on April 16, 2026 at 11:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the switch firmware to a version newer than 1.04.B07, which removes the predictable session identifier flaw.
  • If an upgrade is not immediately possible, restrict administrative interfaces to a secure management subnet or VPN and block external access to the /goform/SetLogin URL.
  • Enforce strong, unique passwords, enable two‑factor authentication if available, and monitor administrative logs for anomalous login activity.
  • Consider disabling the web management interface entirely when not needed.

Generated by OpenCVE AI on April 16, 2026 at 11:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Seekswan
Seekswan zikestor Sks8310-8x
Seekswan zikestor Sks8310-8x Firmware
CPEs cpe:2.3:h:seekswan:zikestor_sks8310-8x:-:*:*:*:*:*:*:*
cpe:2.3:o:seekswan:zikestor_sks8310-8x_firmware:*:*:*:*:*:*:*:*
Vendors & Products Seekswan
Seekswan zikestor Sks8310-8x
Seekswan zikestor Sks8310-8x Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Anhui Seeker Electronic Technology Co., Ltd.
Anhui Seeker Electronic Technology Co., Ltd. xikestor Sks8310-8x
Vendors & Products Anhui Seeker Electronic Technology Co., Ltd.
Anhui Seeker Electronic Technology Co., Ltd. xikestor Sks8310-8x

Sat, 07 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable session identifier vulnerability in the /goform/SetLogin endpoint that allows remote attackers to hijack authenticated sessions. Attackers can predict session identifiers using insufficiently random cookie values and exploit exposed session parameters in URLs to gain unauthorized access to authenticated user sessions.
Title XikeStor SKS8310-8X Predictable Session Identifiers
Weaknesses CWE-330
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Anhui Seeker Electronic Technology Co., Ltd. Xikestor Sks8310-8x
Seekswan Zikestor Sks8310-8x Zikestor Sks8310-8x Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-10T17:58:38.650Z

Reserved: 2026-01-28T21:47:35.120Z

Link: CVE-2026-25072

cve-icon Vulnrichment

Updated: 2026-03-10T17:44:25.067Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T01:15:58.253

Modified: 2026-03-12T14:56:31.523

Link: CVE-2026-25072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses