CRITICAL🇵🇱 Wersja polska

CVE-2025-65212

CVSS 9.8v3.1pub. 2026-01-06upd. 2026-01-29

An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page.

🤖 AI Analysis
How it works

The vulnerability results from insufficient cookie verification (CWE-565) in the device software. An attacker can directly send an HTTP request to the configuration file address without prior login to the management panel. The downloaded configuration file contains usernames and passwords in MD5 hash format, which can be decrypted. With credentials in hand, the attacker can log in to the administrative panel, completely bypassing the authentication mechanism at the interface level.

Impact

The attacker gains full, unauthorized access to the device's administrative panel, enabling them to read and modify configuration, take control of the device, and potentially perform further actions on the local network.

Mitigation & patch

Update NJHYST HY511 POE core software to version 2.1 or newer and plugins to version 0.1 or newer. Until the patch is deployed, it is recommended to restrict access to the device management interface exclusively to trusted IP addresses through firewall or network segmentation.

Who is affected

NJHYST HY511 POE core in versions before 2.1 and plugins in versions before 0.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Njhyst Hy511

    HW
    Njhyst
    wszystkie wersje
  • Njhyst Hy511 Firmware

    OS
    Njhyst
    < 2.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References