CVE-2025-65009 in WD-R608U
Summary
by MITRE • 12/18/2025
In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/18/2025
The CVE-2025-65009 vulnerability represents a critical security flaw in WODESYS WD-R608U routers, including variants WDR122B V2.0 and WDR28, where administrative credentials are stored in plaintext within configuration files. This configuration exposes the system to unauthorized access attempts by any individual who can directly reference the vulnerable resource, fundamentally undermining the router's security posture. The vulnerability directly violates security best practices and industry standards such as those outlined in CWE-312, which addresses the exposure of sensitive information through plaintext storage. The flaw constitutes a severe weakness in the router's authentication mechanism, as it eliminates the need for legitimate authentication procedures to gain administrative access to the device.
This vulnerability operates at the application layer of the network stack and specifically targets the configuration management component of the router's firmware. The plaintext storage of administrative passwords creates an immediate and persistent risk for any unauthorized user who gains access to the router's file system or can intercept network traffic containing configuration data. The vulnerability's impact extends beyond simple credential theft, as administrative access to the router enables attackers to modify network configurations, implement man-in-the-middle attacks, disable security features, and potentially compromise the entire network infrastructure. The lack of proper credential obfuscation or encryption represents a fundamental failure in the router's security architecture and aligns with ATT&CK technique T1566, which covers credential access through various means including direct access to system files.
The operational impact of this vulnerability is particularly severe given the router's role as a network gateway and the critical nature of administrative access. An attacker with access to the plaintext password can perform unauthorized modifications to network settings, potentially redirecting traffic through malicious servers or creating backdoors within the network. The vulnerability's persistence means that even after the initial access attempt, the attacker maintains ongoing access without requiring additional authentication methods. This exposure affects not only the device itself but also all connected systems, as the router serves as a central point of network control and security enforcement. The lack of vendor response regarding specific vulnerable versions compounds the risk, as organizations cannot definitively assess their exposure across different firmware releases.
Mitigation strategies for this vulnerability should include immediate administrative access restrictions to prevent unauthorized file system access, implementation of network segmentation to limit the attack surface, and regular monitoring for unauthorized configuration changes. Organizations should consider deploying network access control measures to prevent direct file system access to router configuration files, while also implementing proper network monitoring to detect unusual access patterns. The vendor should be urged to provide a comprehensive patch addressing the plaintext storage issue, which should include proper password hashing mechanisms and secure configuration file access controls. Additionally, network administrators should implement regular security audits of router configurations and consider replacing affected devices with versions that properly implement credential protection measures. The vulnerability highlights the importance of secure configuration management practices and the need for vendors to maintain proper communication channels regarding security issues, as outlined in industry standards such as NIST SP 800-53 and ISO 27001 requirements for information security management.