CVE-2025-41366: CORS vulnerability in IDF and ZLF

5.1 CVSS

Description

In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing (CORS). Exploiting this vulnerability requires authenticating to the device and executing certain commands that can only be executed with permissions higher than the view permission.

Classification

CVE ID: CVE-2025-41366

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L

Problem Types

CWE-942: Permissive Cross-domain Policy with Untrusted Domains

Affected Products

Vendor: ZIV

Product: IDF and ZLF

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.45% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-41366
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-zivs-idf-and-zlf-products

Timeline

2025-06-06 12:40:11 UTC
CVE

CORS vulnerability in IDF and ZLF