An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP‑XM320, up to version 7.7. The server validates session cookies by performing a filesystem existence check on a path derived directly from a user‑controlled cookie value. Because the cookie input is not properly sanitized, an attacker can craft a cookie containing directory traversal characters. The check will then resolve to an arbitrary location on the server’s filesystem, causing the existence test to succeed regardless of a legitimate session. This flaw allows an unauthenticated attacker to bypass authentication and gain access to the HTTP interface that may expose sensitive management functions.

Panabit PAP‑XM320 embedded HTTP server running firmware version 7.7 or earlier. No other vendors or products are affected.

The vulnerability permits attackers to bypass authentication without requiring any additional privileges or credentials. Based on the description, it is inferred that attackers can exploit the exposed web interface over the network, effectively performing the bypass remotely. Although EPSS is not available and the issue is not listed in the CISA KEV catalog, the nature of the flaw—direct authorization bypass—suggests a high likelihood of exploitation in environments where the HTTP interface is exposed to untrusted networks. The CVSS score of 9.8 indicates critical severity and underscores the urgency of remediation.