Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68716

CVE-2025-68716: KAYSUS KS-WR3600 Router RCE Vulnerability

CVE-2025-68716 is a remote code execution flaw in KAYSUS KS-WR3600 routers that exposes passwordless root SSH access on the LAN interface. This article covers the technical details, affected firmware versions, and mitigation steps.

Updated:

CVE-2025-68716 Overview

KAYSUS KS-WR3600 routers with firmware version 1.0.5.9.1 contain a critical insecure default configuration vulnerability that enables unauthorized root access. The SSH service is enabled by default on the LAN interface with the root account configured without a password. Administrators have no ability to disable SSH or enforce authentication through either the CLI or web GUI, creating a severe security gap that allows LAN-adjacent attackers to gain complete control of the device.

Critical Impact

Any attacker with LAN access can trivially obtain root shell access and execute arbitrary commands with full privileges, enabling complete device compromise, network pivoting, and persistent backdoor installation.

Affected Products

  • KAYSUS KS-WR3600 Wireless Router
  • Firmware version 1.0.5.9.1
  • Devices with SSH service accessible on LAN interface

Discovery Timeline

  • 2026-01-08 - CVE-2025-68716 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-68716

Vulnerability Analysis

This vulnerability represents a fundamental insecure default configuration flaw (CWE-284: Improper Access Control) in the KAYSUS KS-WR3600 router firmware. The device ships with SSH enabled on the LAN interface and the root account configured without any password protection. This design flaw means that out-of-the-box, the router accepts passwordless SSH connections as root from any device on the local network.

The security impact is severe because the vulnerability cannot be remediated through normal administrative actions. The router's CLI and web GUI provide no mechanism to disable the SSH service or configure password authentication for the root account. This leaves network administrators with no workaround short of firmware modification or network segmentation.

Root Cause

The root cause stems from insecure firmware defaults combined with inadequate administrative controls. The firmware developers configured SSH to launch automatically on the LAN interface with root access enabled and no authentication requirement. The failure to provide administrative controls to modify this behavior compounds the issue, as security-conscious administrators cannot harden the device through normal configuration channels.

Attack Vector

An attacker positioned on the local area network can exploit this vulnerability trivially. The attack requires no authentication credentials, no exploitation of memory corruption vulnerabilities, and no specialized tools beyond a standard SSH client. The attacker simply connects to the router's LAN IP address via SSH on port 22 (default) and receives an immediate root shell.

From this position, the attacker can modify firewall rules to enable external access, install persistent backdoors, intercept network traffic, pivot to other internal systems, exfiltrate configuration data including WiFi credentials, and brick the device through firmware manipulation.

Detection Methods for CVE-2025-68716

Indicators of Compromise

  • Unexpected SSH connections to the router from unauthorized LAN hosts
  • New or modified cron jobs, startup scripts, or firmware files on the device
  • Changes to firewall rules or NAT configurations enabling external access
  • Presence of unauthorized user accounts or SSH keys on the device
  • Unusual outbound network connections originating from the router

Detection Strategies

  • Monitor network traffic for SSH connections to router management interfaces from non-administrative hosts
  • Implement network access control lists to restrict which devices can communicate with router management ports
  • Deploy network-based intrusion detection to identify suspicious SSH session patterns
  • Regularly audit router configurations for unauthorized modifications

Monitoring Recommendations

  • Enable logging on network switches to capture connection attempts to router management interfaces
  • Implement SIEM correlation rules to alert on SSH connections to router IPs from unexpected source addresses
  • Conduct periodic configuration audits comparing current device state against known-good baselines
  • Monitor for unusual traffic patterns indicative of data exfiltration or command-and-control activity

How to Mitigate CVE-2025-68716

Immediate Actions Required

  • Isolate affected KAYSUS KS-WR3600 routers to a dedicated VLAN with strict access controls
  • Implement network-level access control lists (ACLs) blocking SSH traffic to affected devices from untrusted hosts
  • Deploy a firewall rule upstream to prevent any SSH connections to the router's LAN interface
  • Audit affected devices for signs of compromise including unauthorized configuration changes

Patch Information

At the time of publication, no vendor-provided patch is available for this vulnerability. Administrators should monitor the KAYSUS WR3600 product page for firmware updates that address this security issue. Additional technical details can be found in the GitHub CVE-2025-68716 advisory.

Workarounds

  • Implement port-based network access control (802.1X) to restrict which devices can access the LAN segment containing the router
  • Place the router behind a managed switch with ACLs blocking port 22 traffic to the router's IP address
  • Consider replacing affected devices with alternatives that provide proper SSH authentication controls
  • If device replacement is not feasible, segment the network to minimize the number of hosts with direct LAN access to the router
bash
# Example iptables rule on upstream Linux firewall to block SSH to router
iptables -A FORWARD -d ROUTER_LAN_IP -p tcp --dport 22 -j DROP
iptables -A OUTPUT -d ROUTER_LAN_IP -p tcp --dport 22 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.