CVE-2025-55976: Intelbras IWR 3000N Information Disclosure

CVE-2025-55976 Overview

CVE-2025-55976 is an information disclosure vulnerability affecting the Intelbras IWR 3000N wireless router running firmware version 1.9.8. The device exposes the configured Wi-Fi password in plaintext through the /api/wireless endpoint. Any unauthenticated user with access to the local network can query this endpoint and immediately retrieve the wireless network password. The flaw is categorized under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor) and stems from missing authentication controls on a sensitive management API.

Critical Impact

Unauthenticated attackers on the local network can obtain the Wi-Fi password in plaintext, enabling persistent network access and downstream attacks on connected devices.

Affected Products

• Intelbras IWR 3000N router (hardware)
• Intelbras IWR 3000N firmware version 1.9.8
• Wireless N 300Mbps router product line distributed by Intelbras

Discovery Timeline

• 2025-09-10 - CVE-2025-55976 published to NVD
• 2025-10-17 - Last updated in NVD database

Technical Details for CVE-2025-55976

Vulnerability Analysis

The Intelbras IWR 3000N router exposes a REST-style management API at /api/wireless that returns the current wireless configuration. The endpoint does not enforce authentication or session validation before returning sensitive data. The response body includes the wireless network's pre-shared key (PSK) in cleartext rather than in a redacted or hashed form.

This behavior allows any host on the local area network, including devices connected to a guest network or wired LAN segment, to issue an HTTP request and parse the password from the JSON response. The vulnerability requires only network adjacency, not credentials or user interaction.

Once the Wi-Fi password is recovered, an attacker can associate with the wireless network from outside the building if signal strength permits. Persistent network access also enables lateral movement, traffic interception, and attacks against other LAN-resident services.

Root Cause

The root cause is missing authorization on a management endpoint combined with insecure storage of credential material in API responses. The /api/wireless handler does not verify an authenticated administrative session and returns the PSK field without masking. This violates least-privilege principles for embedded device management interfaces.

Attack Vector

Exploitation requires the attacker to reach the router over the local network. An attacker with prior access to a guest VLAN, a compromised IoT device, or even temporary wired access can issue a single HTTP GET request to the /api/wireless endpoint and parse the JSON output for the password field. The Medium analysis referenced in the public CVE record documents the request-response pattern.

The vulnerability is described in prose only; no verified proof-of-concept code is published in this advisory. See the Medium Analysis on CVE-2025-55976 for the technical write-up.

Detection Methods for CVE-2025-55976

Indicators of Compromise

• HTTP GET requests to /api/wireless originating from LAN clients that are not administrative workstations
• Unexpected wireless associations from devices whose MAC addresses are not in the asset inventory
• Repeated polling of the router's management interface from a single internal host
• DHCP leases issued to unknown devices shortly after /api/wireless access events

Detection Strategies

• Capture and inspect HTTP traffic to the router management interface and alert on responses containing keys such as password, psk, or wpa_key
• Correlate access to /api/wireless with the source IP and compare against an allowlist of administrative endpoints
• Monitor router logs, if exposed via syslog, for API access from unauthenticated sessions

Monitoring Recommendations

• Forward router syslog and DHCP events to a centralized log platform for retention and correlation
• Track the wireless client association table and alert on new MAC addresses joining the SSID
• Baseline normal management traffic patterns and flag deviations from administrative hosts

How to Mitigate CVE-2025-55976

Immediate Actions Required

• Restrict access to the router's management interface to a dedicated administrative VLAN or wired-only segment
• Rotate the Wi-Fi pre-shared key and assume the current PSK is compromised if the device has been deployed on a shared network
• Segment IoT and guest devices away from the router's management plane using VLANs or firewall rules
• Inventory all Intelbras IWR 3000N devices running firmware 1.9.8 and prioritize replacement or isolation

Patch Information

At the time of NVD publication on 2025-09-10, no vendor advisory or firmware update is listed in the CVE record. Administrators should consult the Intelbras Product Page for any future firmware releases addressing this issue. If no patch is available, treat the device as end-of-life for security purposes and plan for replacement with a supported model.

Workarounds

• Place the router behind an upstream firewall that blocks lateral access to the management interface from untrusted LAN segments
• Disable remote management features and ensure the device is not reachable from the WAN side
• Deploy WPA3 or WPA2-Enterprise on a replacement access point and decommission the vulnerable router where feasible
• Use periodic PSK rotation as a compensating control until the device can be replaced

# Example: block LAN clients from reaching the router management API
# Apply on an upstream Linux gateway or managed switch ACL
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP
# Allow only the administrative host
iptables -I FORWARD -s <admin_host_ip> -d <router_ip> -p tcp --dport 443 -j ACCEPT