CVE-2025-62771 Overview
CVE-2025-62771 is a Cross-Site Request Forgery [CWE-352] vulnerability affecting Mercku M6a wireless router devices through firmware version 2.1.0. The flaw allows an attacker on the intranet to trigger unauthorized password changes on the router by abusing missing CSRF protections in the device's web management interface. Successful exploitation grants the attacker full administrative control over the affected router.
The vulnerability requires the attacker to be on the adjacent network and depends on a victim with an authenticated session visiting attacker-controlled content. The vulnerability was disclosed publicly through the Full Disclosure mailing list and the NullVoid research blog.
Critical Impact
Successful CSRF exploitation results in unauthorized administrator password changes, granting an attacker full control of the Mercku M6a router and the network it serves.
Affected Products
- Mercku M6a wireless router
- Firmware versions through 2.1.0
- Devices exposing the affected web management interface on the LAN
Discovery Timeline
- 2025-10-22 - CVE-2025-62771 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-62771
Vulnerability Analysis
The Mercku M6a web administration interface accepts state-changing requests, including password change operations, without validating an anti-CSRF token or verifying the request origin. An authenticated administrator who visits a malicious page on the same intranet can have their browser silently submit a forged password change request to the router's management endpoint.
Because the request is issued by the victim's authenticated browser, the router processes it as a legitimate administrative action. The attacker does not need to know the existing password to complete the change. After the password is rewritten, the attacker authenticates with the new credentials and takes over the device.
Further technical analysis is published in the NullVoid Blog Post and the Full Disclosure Mailing List.
Root Cause
The root cause is the absence of CSRF mitigations on sensitive administrative endpoints. The web interface does not enforce per-request CSRF tokens, does not validate the Origin or Referer headers, and does not require re-authentication or knowledge of the current password before applying a new one. This matches the weakness class described in CWE-352.
Attack Vector
An attacker hosts a malicious page on the intranet, for example on a compromised internal host or a guest Wi-Fi device. When an administrator with an active router session loads the page, embedded HTML or JavaScript issues a cross-origin request to the router's password change endpoint. The browser includes the administrator's session cookie, and the router accepts the request. Exploitation does not require user interaction beyond visiting the page. Code examples were not published in the verified references; see the linked advisories for proof-of-concept details.
Detection Methods for CVE-2025-62771
Indicators of Compromise
- Unexpected administrator password resets on Mercku M6a devices without a corresponding change ticket or admin action
- HTTP POST requests to router administrative endpoints originating from non-management LAN hosts with foreign Referer or Origin headers
- New or unfamiliar logins to the router web UI from intranet IP addresses shortly after a password change event
Detection Strategies
- Inspect router access and audit logs for password change operations and correlate them against authorized administrator activity
- Monitor LAN traffic for cross-origin HTTP requests targeting the router management IP, especially POSTs with payloads referencing password fields
- Alert on configuration drift such as administrator credential changes, DNS server changes, or new port forwards on the affected device
Monitoring Recommendations
- Forward router syslog and authentication events to a centralized SIEM or data lake for retention and correlation
- Baseline normal administrative traffic patterns and alert on management interface access from non-administrator workstations
- Periodically verify that the current administrator credentials match the documented values stored in a secure password vault
How to Mitigate CVE-2025-62771
Immediate Actions Required
- Restrict access to the Mercku M6a web management interface to a dedicated administrator host or management VLAN
- Log out of the router admin session immediately after each configuration change to invalidate the cookie used by CSRF attacks
- Avoid browsing untrusted intranet or internet content from the same browser used to administer the router
Patch Information
At the time of NVD publication, no vendor-supplied firmware patch is referenced in the CVE record. Administrators should monitor Mercku vendor channels for an updated firmware release that adds CSRF token validation and origin checks to administrative endpoints. Review the Full Disclosure Mailing List entry for the latest vendor response status.
Workarounds
- Use a separate, isolated browser profile or dedicated management workstation when authenticating to the router
- Place the router management interface behind an ACL that only allows specific trusted source addresses
- Disable remote and intranet-wide management access where the device allows scoping the admin interface to specific interfaces or hosts
- Segment IoT and guest devices into a separate VLAN that cannot reach the router management address
# Configuration example: restrict management plane access using an upstream firewall
# Allow only the admin workstation (192.0.2.10) to reach the router web UI (192.0.2.1)
iptables -A FORWARD -s 192.0.2.10 -d 192.0.2.1 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 192.0.2.1 -p tcp --dport 443 -j DROP
iptables -A FORWARD -d 192.0.2.1 -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
