CVE-2025-1143 Overview
CVE-2025-1143 affects certain models of routers manufactured by Billion Electric. The devices ship with hard-coded embedded Linux credentials that cannot be changed by administrators. Attackers who know these credentials can log in through the SSH service and gain root privileges on the underlying operating system. The weakness is categorized under [CWE-798] Use of Hard-coded Credentials. TWCERT published the advisory, and the issue was added to the National Vulnerability Database on February 11, 2025.
Critical Impact
An attacker with network access to the SSH service can authenticate using factory-embedded credentials and obtain full root control of the affected router, exposing the device and any traffic traversing it to interception, modification, or pivoting.
Affected Products
- Billion Electric routers (specific models identified by TWCERT)
- Embedded Linux firmware shipped by Billion Electric containing the static account
- SSH service exposed on affected router interfaces
Discovery Timeline
- 2025-02-11 - CVE-2025-1143 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-1143
Vulnerability Analysis
The vulnerability resides in the router firmware shipped by Billion Electric. The firmware contains a static set of Linux account credentials embedded at build time. The SSH daemon on the device validates logins against the same on-disk credential store that holds this account. Because the credentials are baked into the firmware image, end users cannot remove or rotate them through the administrative interface.
An attacker with reachability to the SSH port can authenticate as the hard-coded user and receive an interactive shell. The shell runs with root privileges, granting full control over routing tables, firewall rules, DNS resolvers, captured traffic, and any management daemons running on the device. The flaw is exploitable without prior authentication and without any user interaction.
Root Cause
The root cause is the inclusion of fixed credentials in the production firmware, a classic instance of [CWE-798]. Hard-coded credentials bypass normal account lifecycle controls. They are identical across every device running the same firmware build, so disclosure of the secret compromises every deployed unit simultaneously.
Attack Vector
The CVSS vector identifies the attack path as adjacent or local network access to the SSH service. An attacker on the LAN segment, on a management VLAN, or on any network where SSH has been exposed connects to the SSH listener and supplies the embedded username and password. Successful authentication yields a root shell with no further escalation required. Refer to the TWCERT Security Advisory for vendor-specific technical detail.
Detection Methods for CVE-2025-1143
Indicators of Compromise
- Successful SSH logins to Billion Electric routers from unexpected source addresses, particularly outside scheduled administrator activity windows.
- New cron jobs, iptables rules, or init.d entries appearing on the router without change-management records.
- Outbound connections from the router to unknown command-and-control infrastructure or tunneling endpoints.
- Modifications to /etc/passwd, /etc/shadow, or SSH authorized_keys files on the device.
Detection Strategies
- Monitor SSH authentication logs on affected routers for logins using non-administrator account names that match the hard-coded identity referenced by TWCERT.
- Capture and inspect SSH session metadata at perimeter and segmentation chokepoints to identify connections to router management interfaces.
- Correlate router configuration changes with authenticated administrator sessions and alert on drift.
Monitoring Recommendations
- Forward router syslog, authentication, and configuration-change events to a centralized SIEM for correlation.
- Baseline expected SSH client sources for each router and alert on first-seen sources.
- Track outbound flows from router management IPs and flag traffic patterns inconsistent with administrative use.
How to Mitigate CVE-2025-1143
Immediate Actions Required
- Restrict SSH access on affected Billion Electric routers to a dedicated management network using ACLs or firewall rules.
- Disable the SSH service on devices where remote shell management is not required.
- Audit recent SSH authentication and configuration-change logs for evidence of unauthorized root access.
- Contact Billion Electric or a local distributor to confirm whether a firmware update addressing the hard-coded account is available for the deployed model.
Patch Information
TWCERT coordinated disclosure with Billion Electric. Administrators should consult the TWCERT Security Advisory and the TWCERT Security Notice for the list of affected models and the corresponding fixed firmware versions, then apply the vendor-supplied firmware update on every affected unit.
Workarounds
- Place affected routers behind a separate firewall that blocks inbound TCP/22 from untrusted segments until firmware is updated.
- Bind the SSH listener to a management VLAN interface only, removing exposure from user and guest networks.
- Require VPN access for any administrative session reaching the router management plane.
- Replace end-of-life models that will not receive a fixed firmware release.
# Example: restrict SSH to a management subnet using an upstream firewall
# Replace 10.0.99.0/24 with your administrative network
iptables -A FORWARD -p tcp -s 10.0.99.0/24 -d <router_ip> --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 22 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
