CVE-2025-68716 Overview
KAYSUS KS-WR3600 routers with firmware version 1.0.5.9.1 contain a critical insecure default configuration vulnerability that enables unauthorized root access. The SSH service is enabled by default on the LAN interface with the root account configured without a password. Administrators have no ability to disable SSH or enforce authentication through either the CLI or web GUI, creating a severe security gap that allows LAN-adjacent attackers to gain complete control of the device.
Critical Impact
Any attacker with LAN access can trivially obtain root shell access and execute arbitrary commands with full privileges, enabling complete device compromise, network pivoting, and persistent backdoor installation.
Affected Products
- KAYSUS KS-WR3600 Wireless Router
- Firmware version 1.0.5.9.1
- Devices with SSH service accessible on LAN interface
Discovery Timeline
- 2026-01-08 - CVE-2025-68716 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-68716
Vulnerability Analysis
This vulnerability represents a fundamental insecure default configuration flaw (CWE-284: Improper Access Control) in the KAYSUS KS-WR3600 router firmware. The device ships with SSH enabled on the LAN interface and the root account configured without any password protection. This design flaw means that out-of-the-box, the router accepts passwordless SSH connections as root from any device on the local network.
The security impact is severe because the vulnerability cannot be remediated through normal administrative actions. The router's CLI and web GUI provide no mechanism to disable the SSH service or configure password authentication for the root account. This leaves network administrators with no workaround short of firmware modification or network segmentation.
Root Cause
The root cause stems from insecure firmware defaults combined with inadequate administrative controls. The firmware developers configured SSH to launch automatically on the LAN interface with root access enabled and no authentication requirement. The failure to provide administrative controls to modify this behavior compounds the issue, as security-conscious administrators cannot harden the device through normal configuration channels.
Attack Vector
An attacker positioned on the local area network can exploit this vulnerability trivially. The attack requires no authentication credentials, no exploitation of memory corruption vulnerabilities, and no specialized tools beyond a standard SSH client. The attacker simply connects to the router's LAN IP address via SSH on port 22 (default) and receives an immediate root shell.
From this position, the attacker can modify firewall rules to enable external access, install persistent backdoors, intercept network traffic, pivot to other internal systems, exfiltrate configuration data including WiFi credentials, and brick the device through firmware manipulation.
Detection Methods for CVE-2025-68716
Indicators of Compromise
- Unexpected SSH connections to the router from unauthorized LAN hosts
- New or modified cron jobs, startup scripts, or firmware files on the device
- Changes to firewall rules or NAT configurations enabling external access
- Presence of unauthorized user accounts or SSH keys on the device
- Unusual outbound network connections originating from the router
Detection Strategies
- Monitor network traffic for SSH connections to router management interfaces from non-administrative hosts
- Implement network access control lists to restrict which devices can communicate with router management ports
- Deploy network-based intrusion detection to identify suspicious SSH session patterns
- Regularly audit router configurations for unauthorized modifications
Monitoring Recommendations
- Enable logging on network switches to capture connection attempts to router management interfaces
- Implement SIEM correlation rules to alert on SSH connections to router IPs from unexpected source addresses
- Conduct periodic configuration audits comparing current device state against known-good baselines
- Monitor for unusual traffic patterns indicative of data exfiltration or command-and-control activity
How to Mitigate CVE-2025-68716
Immediate Actions Required
- Isolate affected KAYSUS KS-WR3600 routers to a dedicated VLAN with strict access controls
- Implement network-level access control lists (ACLs) blocking SSH traffic to affected devices from untrusted hosts
- Deploy a firewall rule upstream to prevent any SSH connections to the router's LAN interface
- Audit affected devices for signs of compromise including unauthorized configuration changes
Patch Information
At the time of publication, no vendor-provided patch is available for this vulnerability. Administrators should monitor the KAYSUS WR3600 product page for firmware updates that address this security issue. Additional technical details can be found in the GitHub CVE-2025-68716 advisory.
Workarounds
- Implement port-based network access control (802.1X) to restrict which devices can access the LAN segment containing the router
- Place the router behind a managed switch with ACLs blocking port 22 traffic to the router's IP address
- Consider replacing affected devices with alternatives that provide proper SSH authentication controls
- If device replacement is not feasible, segment the network to minimize the number of hosts with direct LAN access to the router
# Example iptables rule on upstream Linux firewall to block SSH to router
iptables -A FORWARD -d ROUTER_LAN_IP -p tcp --dport 22 -j DROP
iptables -A OUTPUT -d ROUTER_LAN_IP -p tcp --dport 22 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
