CVE-2025-53757 Overview
CVE-2025-53757 affects the Digisol DG-GR6821AC Router. The router web interface sets session cookies without the Secure and HttpOnly flags. Missing the Secure flag allows cookies to traverse cleartext HTTP connections. Missing the HttpOnly flag exposes cookies to client-side script access.
A remote attacker positioned on the network path can capture session cookies transmitted over unencrypted HTTP. Successful interception yields authenticated access to the router web interface and the sensitive configuration data it exposes. The issue is tracked under CWE-614: Sensitive Cookie in HTTPS Session Without Secure Attribute.
Critical Impact
Network-adjacent attackers can hijack administrator sessions on the Digisol DG-GR6821AC router and extract sensitive device information without authentication.
Affected Products
- Digisol DG-GR6821AC Router (web management interface)
- Specific firmware versions: refer to the CERT-In Advisory CIVN-2025-0147
Discovery Timeline
- 2025-07-16 - CVE-2025-53757 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-53757
Vulnerability Analysis
The Digisol DG-GR6821AC router web interface issues authenticated session cookies through HTTP Set-Cookie response headers. The server omits the Secure and HttpOnly attributes when creating these cookies. This produces two distinct exposure paths for the same credential material.
Without the Secure attribute, browsers attach the cookie to any request matching the cookie scope, including plain HTTP requests. An attacker on the same local network, an upstream link, or a malicious Wi-Fi access point can capture the cookie using passive sniffing tools such as tcpdump or Wireshark. No interaction with the victim is required beyond observing existing administrative traffic.
Without the HttpOnly attribute, cookies become accessible to JavaScript executing in the browser context via document.cookie. A reflected or stored cross-site scripting flaw in the router interface, or a malicious page loaded in the same browser, can exfiltrate the session token.
Root Cause
The root cause is a configuration defect in the router HTTP server. Session management code does not append the Secure; HttpOnly directives when generating Set-Cookie headers. This is a deviation from RFC 6265 hardening guidance and aligns with CWE-614.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker observes HTTP traffic between an administrator and the router, extracts the session cookie from the captured packet, and replays it against the router web interface to assume the administrator session. Information exposed includes Wi-Fi credentials, connected device inventories, firewall rules, and routing configuration.
No verified public proof-of-concept code is available. The vulnerability is described in prose by CERT-In Advisory CIVN-2025-0147.
Detection Methods for CVE-2025-53757
Indicators of Compromise
- Unexpected administrative logins to the router web interface from unfamiliar source IP addresses
- Modified router settings, particularly DNS servers, port forwards, or remote management toggles
- Set-Cookie headers from the router lacking Secure and HttpOnly attributes when inspected with browser developer tools
Detection Strategies
- Inspect HTTP responses from the router login flow and confirm whether session cookies include the Secure and HttpOnly flags
- Monitor LAN traffic for plaintext HTTP sessions to the router management IP and alert on authenticated requests carried over port 80
- Correlate router configuration changes with administrator login timestamps to surface session replay activity
Monitoring Recommendations
- Enable logging on the router web interface and forward authentication events to a central log collector
- Flag any access to the management interface that originates from outside trusted administrative subnets
- Watch for ARP spoofing or rogue DHCP activity on the management VLAN that would facilitate cookie interception
How to Mitigate CVE-2025-53757
Immediate Actions Required
- Restrict access to the router web interface to a dedicated management VLAN or trusted host
- Disable remote (WAN-side) management on the DG-GR6821AC until a fixed firmware is applied
- Force administrators to access the interface only over HTTPS and reject HTTP where the device supports it
- Rotate all administrator credentials and pre-shared Wi-Fi keys after confirming no active compromise
Patch Information
No fixed firmware version is listed in the NVD record at publication time. Consult the CERT-In Advisory CIVN-2025-0147 and the Digisol support portal for updated firmware availability for the DG-GR6821AC.
Workarounds
- Access the router only from a wired connection on a segmented administrative network
- Close the browser after every administrative session to invalidate cookies stored in memory
- Place the router management interface behind an HTTPS reverse proxy that injects Secure and HttpOnly attributes on responses where feasible
- Block port 80 on the router LAN interface using firewall rules where the firmware permits
# Example: restrict router admin interface to a single trusted host on Linux
sudo iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 80 -s 192.168.1.50 -j ACCEPT
sudo iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 80 -j DROP
sudo iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 443 -s 192.168.1.50 -j ACCEPT
sudo iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
