CVE-2025-34467: ZwiiCMS < 13.7.00 Lock Persistence Authenticated DoS Against Administrative Pages
ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.
Security readout for executives and security teams
Plain-English summary
ZwiiCMS before 13.7.00 lets a logged-in low-privilege user block administrative pages by triggering temporary locks before authorization completes. The user still gets a 404 response, but administrators can be denied access to affected functions until the session clears.
Executive priority
Treat this as a moderate operational disruption risk. It can block administrators from managing the site, but the provided evidence does not indicate code execution, data compromise, or active exploitation.
Technical view
The issue combines improper authorization checks with flawed lock state handling across multiple administrative endpoints. A low-privilege authenticated request can bind a temporary resource lock to the requester before access denial, causing availability loss for administrators. CVSS v4.0 is 5.3, with low attack complexity and low privileges required.
Likely exposure
Exposure is limited to ZwiiCMS deployments running versions prior to 13.7.00 with authenticated low-privilege users. Public internet exposure increases operational risk if untrusted users can obtain accounts.
Exploitation context
The source bundle does not show KEV listing or active exploitation. Exploitation requires authentication but no user interaction. Impact is administrative availability, not data theft or code execution, based on the provided CVSS and advisory description.
Researcher notes
The affected version field in the bundle is incomplete, but the description and release reference identify versions before 13.7.00. Focus review on authorization order and resource lock release behavior in administrative endpoints.
Mitigation direction
Upgrade ZwiiCMS to 13.7.00 or later per the referenced release.
Review vendor guidance for any additional hardening or backport instructions.
Limit low-privilege account creation to trusted users where possible.
Terminate suspicious sessions that appear to hold administrative resource locks.
Monitor administrative page availability after applying the update.
Validation and detection
Inventory ZwiiCMS instances and confirm installed versions.
Check whether any deployment runs a version prior to 13.7.00.
Review logs for repeated low-privilege requests to administrative pages returning 404.
Confirm administrators can access affected administrative functions after upgrade.
Avoid reproducing lock behavior against production systems.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-667: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
CWE-863: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-667 · source CWE mapping
Improper Locking
Improper Locking represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Incorrect Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.