CVE-2026-25072 PUBLISHED

XikeStor SKS8310-8X Predictable Session Identifiers

Assigner: VulnCheck
Reserved: 28.01.2026 Published: 07.03.2026 Updated: 07.03.2026

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable session identifier vulnerability in the /goform/SetLogin endpoint that allows remote attackers to hijack authenticated sessions. Attackers can predict session identifiers using insufficiently random cookie values and exploit exposed session parameters in URLs to gain unauthorized access to authenticated user sessions.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Anhui Seeker Electronic Technology Co., LTD.
Product	XikeStor SKS8310-8X
Versions	Default: unknown affected from 0 to 1.04.B07 (incl.)

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. finder
VulnCheck coordinator

References

Problem Types

CWE-330 Use of Insufficiently Random Values CWE