CVE-2025-65010 in WD-R608U
Summary
by MITRE • 12/18/2025
WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) is vulnerable to Broken Access Control in initial configuration wizard.cgi endpoint. Malicious attacker can change admin panel password without authorization. The vulnerability can also be exploited after the initial configuration has been set.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/18/2025
The CVE-2025-65010 vulnerability affects WODESYS WD-R608U routers including variants WDR122B V2.0 and WDR28, representing a critical broken access control flaw in the initial configuration wizard.cgi endpoint. This vulnerability fundamentally compromises the router's authentication mechanism by allowing unauthorized modification of administrative credentials without proper authorization. The flaw exists in the web interface's access control implementation, specifically within the configuration wizard component that handles initial setup processes. Security researchers identified that the vulnerability permits remote attackers to manipulate administrative passwords through the web-based management interface, creating a significant risk for network administrators who rely on these devices for their network infrastructure.
The technical nature of this vulnerability aligns with CWE-285, which describes improper authorization within software systems, and represents a clear violation of the principle of least privilege in network device security. The flaw manifests in the authentication flow where the system fails to properly validate user credentials or session tokens when processing requests to modify administrative passwords. This weakness allows attackers to bypass normal access controls and gain administrative privileges through manipulation of the configuration wizard endpoint. The vulnerability's persistence across different configuration states means that even after initial setup has been completed, the same access control bypass remains possible, making it particularly dangerous for long-term network security. The lack of proper input validation and session management within the cgi endpoint creates an attack surface that enables arbitrary password changes without authentication.
The operational impact of this vulnerability extends beyond simple credential compromise, as it allows attackers to assume full administrative control over the affected routers. Network administrators face significant risks including unauthorized network access, potential data exfiltration, and the ability to modify firewall rules, DNS settings, and other critical network configurations. The vulnerability affects the router's core security posture by undermining the fundamental assumption that administrative access requires proper authentication. Attackers can exploit this weakness to establish persistent backdoors, redirect traffic through malicious servers, or disable security features entirely. The compromised device becomes a potential entry point for broader network attacks, as it provides attackers with a legitimate administrative interface to manipulate network traffic and access other connected systems. This type of vulnerability directly impacts the CIA triad by compromising confidentiality, integrity, and availability of network services.
Given the vendor's lack of response regarding specific vulnerable versions beyond WDR28081123OV1.01, network administrators should assume that other variants may also be affected. The absence of vendor patches or security advisories creates an urgent need for immediate mitigation strategies. Organizations should implement network segmentation to isolate affected devices, monitor for suspicious authentication attempts, and consider disabling unnecessary web management interfaces. The vulnerability's presence in the initial configuration wizard suggests that the authentication mechanism may be fundamentally flawed in the device's software architecture, requiring either firmware updates or complete device replacement. Network defenders should also consider implementing intrusion detection systems to monitor for exploitation attempts targeting the specific cgi endpoint. Based on ATT&CK framework categorization, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) as attackers can leverage the compromised administrative credentials to maintain persistent access and potentially spread to other network segments through lateral movement techniques. The lack of vendor response also indicates potential security mismanagement practices that may leave other devices in the same product line vulnerable to similar flaws.