Home

Description

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers to execute arbitrary operating system commands. Attackers can inject malicious commands through the destIp parameter to achieve remote code execution with root privileges on the network switch.

PUBLISHED Reserved 2026-01-28 | Published 2026-03-07 | Updated 2026-03-07 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unknown

Any version
affected

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. finder

VulnCheck coordinator

References

www.aliexpress.com/i/3256808697772710.html product

openwrt.org/...x?s%5B%5D=xikestor&s%5B%5D=sks8310&s%5B%5D=8x product

cve.org (CVE-2026-25070)

nvd.nist.gov (CVE-2026-25070)

Download JSON