Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68718

CVE-2025-68718: KAYSUS Router Auth Bypass Vulnerability

CVE-2025-68718 is an authentication bypass flaw in KAYSUS KS-WR1200 routers with hardcoded credentials that grant root access via SSH and TELNET. This article covers technical details, affected firmware, and mitigation.

Updated:

CVE-2025-68718 Overview

KAYSUS KS-WR1200 routers with firmware version 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change the hardcoded password. Changing the management GUI password does not affect SSH/TELNET authentication, leaving any LAN-adjacent attacker with the ability to trivially log in with root privileges.

Critical Impact

Any attacker with LAN access can authenticate as root using publicly known hardcoded credentials, gaining complete administrative control over the router.

Affected Products

  • KAYSUS KS-WR1200 routers with firmware version 107

Discovery Timeline

  • January 8, 2026 - CVE-2025-68718 published to NVD
  • January 8, 2026 - Last updated in NVD database

Technical Details for CVE-2025-68718

Vulnerability Analysis

This vulnerability represents a classic hardcoded credentials flaw (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) in embedded network device firmware. The KAYSUS KS-WR1200 router ships with SSH and TELNET services enabled on the LAN interface by default, using static root credentials that cannot be changed or disabled by administrators.

The fundamental security design flaw is that the management GUI password and the underlying system access credentials operate independently. Users who believe they have secured their router by changing the web interface password remain vulnerable, as the hardcoded credentials for SSH and TELNET access are embedded in the firmware and persist regardless of any configuration changes.

Root Cause

The root cause is the use of hardcoded credentials (root:12345678) embedded directly in the router's firmware for SSH and TELNET authentication. This represents a severe design flaw where:

  1. The credentials are static and cannot be modified by end users
  2. The SSH and TELNET services cannot be disabled through the management interface
  3. The system authentication is decoupled from the web management interface, creating a false sense of security when users change their GUI password

Attack Vector

This vulnerability requires adjacent network access, meaning an attacker must be connected to the same LAN as the vulnerable router. The attack is trivial to execute:

The attacker simply connects to the router via SSH or TELNET on the LAN interface and authenticates using the publicly known credentials root:12345678. No special tools, exploits, or authentication bypass techniques are required. The attack requires no user interaction and no prior privileges on the target network beyond basic LAN connectivity.

Once authenticated, the attacker gains full root-level access to the router, enabling them to modify network configurations, intercept traffic, install persistent backdoors, or pivot to other network devices.

Detection Methods for CVE-2025-68718

Indicators of Compromise

  • Unexpected SSH or TELNET sessions originating from unknown LAN hosts to the router's management interface
  • Authentication logs showing successful root logins from unauthorized IP addresses
  • Configuration changes to routing tables, firewall rules, or DNS settings without administrator action
  • Presence of unauthorized user accounts or modified system files on the router

Detection Strategies

  • Monitor network traffic for SSH (port 22) and TELNET (port 23) connections to the router's LAN IP address
  • Deploy network intrusion detection systems (IDS) with rules to alert on authentication attempts using known default credentials
  • Implement network segmentation monitoring to detect lateral movement from compromised routers
  • Review router logs regularly for successful authentication events from non-administrative hosts

Monitoring Recommendations

  • Enable centralized logging for all network infrastructure devices and forward logs to a SIEM solution
  • Configure alerts for any root-level authentication to network devices outside of scheduled maintenance windows
  • Perform regular vulnerability scans of network infrastructure to identify devices with exposed management services
  • Implement network access control to restrict which hosts can connect to router management interfaces

How to Mitigate CVE-2025-68718

Immediate Actions Required

  • Implement network-level access controls (ACLs or firewall rules) to restrict SSH and TELNET access to the router from trusted management hosts only
  • Segment the network to limit the number of hosts that have LAN adjacency to vulnerable routers
  • Monitor for exploitation attempts and audit authentication logs for suspicious activity
  • Contact KAYSUS support to inquire about firmware updates that address this vulnerability

Patch Information

No vendor patch information is currently available. Administrators should monitor the KAYSUS vendor website and the GitHub CVE repository for updates regarding this vulnerability.

Workarounds

  • Deploy an upstream firewall or managed switch with ACLs to block SSH (port 22) and TELNET (port 23) traffic to the router from all hosts except authorized management stations
  • Consider replacing affected devices with routers that allow credential management and service disabling
  • Implement 802.1X network access control to limit which devices can connect to the LAN and potentially reach the vulnerable router
  • Use network monitoring tools to alert on any SSH or TELNET connection attempts to the router
bash
# Example: iptables rules on an upstream Linux gateway to restrict SSH/TELNET access
# Replace ROUTER_IP with the LAN IP of the vulnerable KAYSUS router
# Replace MGMT_HOST with the IP of your authorized management workstation

iptables -A FORWARD -d ROUTER_IP -p tcp --dport 22 -s MGMT_HOST -j ACCEPT
iptables -A FORWARD -d ROUTER_IP -p tcp --dport 23 -s MGMT_HOST -j ACCEPT
iptables -A FORWARD -d ROUTER_IP -p tcp --dport 22 -j DROP
iptables -A FORWARD -d ROUTER_IP -p tcp --dport 23 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.