CyberLeveling Logo
Critical Security Issues in XikeStor SKS8310-8X Switch Firmware

Critical Security Issues in XikeStor SKS8310-8X Switch Firmware (CVE-2026-25070 to CVE-2026-25073)

March 9, 2026

Network switches are often treated as quiet infrastructure that “just works.” In reality, they are full operating systems running web interfaces, services, and management APIs. When security weaknesses exist in these systems, attackers can gain deep access to a network.

A recently published group of vulnerabilities affecting the XikeStor SKS8310-8X network switch shows how serious these risks can be. Four CVEs (CVE-2026-25070 through CVE-2026-25073) expose multiple ways attackers could access sensitive information, hijack sessions, or even execute commands directly on the device.

This post walks through what each vulnerability does, how attackers might abuse it, and what organizations should do to protect themselves.

Affected Device

  • Product: XikeStor SKS8310-8X Network Switch
  • Affected firmware: 1.04.B07 and earlier

These switches include a web-based management interface used for configuration and monitoring. The vulnerabilities are located inside endpoints exposed by that interface.

CVE-2026-25070 — Unauthenticated Command Injection

Severity: Critical

This is the most dangerous vulnerability in the group. The endpoint used for ping diagnostics (/goform/PingTestSet) accepts a parameter called destIp. Normally, the switch uses this value to run a ping command against a remote host.

The problem is that the firmware does not properly sanitize user input before passing it to the underlying operating system. Because of this, attackers can inject additional shell commands.

Why this is dangerous:

If the web interface executes the command directly in the system shell, attackers can append commands like:

8.8.8.8; cat /etc/passwd

Even worse, the vulnerability:

  • Requires no authentication
  • Can be triggered remotely
  • Executes commands as root

That combination means a remote attacker could fully compromise the switch.

CVE-2026-25071 — Unauthenticated Configuration Download

Severity: High

This vulnerability allows attackers to download the device’s configuration file without logging in via the /switch_config.src endpoint.

The configuration file may contain sensitive network information such as:

  • VLAN configuration
  • Internal IP address ranges
  • Interface mappings
  • Network segmentation rules

Even though this vulnerability does not directly give system control, it provides reconnaissance information that attackers love. Map internal architecture, identify management interfaces, and prepare targeted attacks with this data.

CVE-2026-25072 — Predictable Session Identifiers

Severity: High

This vulnerability involves weak session management. The switch generates authentication cookies that are predictable due to insufficient randomness. Additionally, session parameters are exposed in URLs.

This creates an opportunity for attackers to guess or calculate valid session identifiers, allowing them to impersonate legitimate users and gain administrative access without triggering typical login alerts.

CVE-2026-25073 — Stored Cross-Site Scripting (XSS)

Severity: Medium

This vulnerability allows authenticated users to store malicious JavaScript inside the System Name configuration field. When another user loads the interface and views the value, the script executes inside their browser.

If a network administrator loads the page, the injected script could silently perform actions on their behalf, such as stealing session tokens or making unauthorized configuration changes.

Chaining the Vulnerabilities

Individually these issues are concerning, but together they create a powerful attack chain:

  1. Download configuration (CVE-2026-25071): The attacker maps the network structure.
  2. Hijack an admin session (CVE-2026-25072): The attacker gains web interface access.
  3. Plant stored XSS (CVE-2026-25073): This spreads the compromise to other administrators.
  4. Execute root commands (CVE-2026-25070): The attacker gains full device control.

Risk to Organizations

Network infrastructure devices are high-value targets because they sit in the middle of communication flows. A compromised switch can allow attackers to monitor internal traffic, redirect routes, launch lateral movement attacks, and maintain long-term persistence.

Mitigation and Security Recommendations

Update Firmware Immediately

Install the latest firmware version provided by the vendor once a patched release is available. Firmware updates are the most effective fix.

Restrict Management Access

The web interface should never be exposed to the public internet.

  • Allow access only from trusted management networks
  • Use firewall rules to limit access
  • Disable remote management when not required

Monitor Network Infrastructure

  • Watch for unusual outbound connections from network gear
  • Audit configuration changes and administrative sessions
  • Isolate management interfaces on dedicated VLANs

References

NIST NVD: CVE-2026-25070NIST NVD: CVE-2026-25071NIST NVD: CVE-2026-25072NIST NVD: CVE-2026-25073