CVE-2025-68718 Overview
KAYSUS KS-WR1200 routers with firmware version 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change the hardcoded password. Changing the management GUI password does not affect SSH/TELNET authentication, leaving any LAN-adjacent attacker with the ability to trivially log in with root privileges.
Critical Impact
Any attacker with LAN access can authenticate as root using publicly known hardcoded credentials, gaining complete administrative control over the router.
Affected Products
- KAYSUS KS-WR1200 routers with firmware version 107
Discovery Timeline
- January 8, 2026 - CVE-2025-68718 published to NVD
- January 8, 2026 - Last updated in NVD database
Technical Details for CVE-2025-68718
Vulnerability Analysis
This vulnerability represents a classic hardcoded credentials flaw (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) in embedded network device firmware. The KAYSUS KS-WR1200 router ships with SSH and TELNET services enabled on the LAN interface by default, using static root credentials that cannot be changed or disabled by administrators.
The fundamental security design flaw is that the management GUI password and the underlying system access credentials operate independently. Users who believe they have secured their router by changing the web interface password remain vulnerable, as the hardcoded credentials for SSH and TELNET access are embedded in the firmware and persist regardless of any configuration changes.
Root Cause
The root cause is the use of hardcoded credentials (root:12345678) embedded directly in the router's firmware for SSH and TELNET authentication. This represents a severe design flaw where:
- The credentials are static and cannot be modified by end users
- The SSH and TELNET services cannot be disabled through the management interface
- The system authentication is decoupled from the web management interface, creating a false sense of security when users change their GUI password
Attack Vector
This vulnerability requires adjacent network access, meaning an attacker must be connected to the same LAN as the vulnerable router. The attack is trivial to execute:
The attacker simply connects to the router via SSH or TELNET on the LAN interface and authenticates using the publicly known credentials root:12345678. No special tools, exploits, or authentication bypass techniques are required. The attack requires no user interaction and no prior privileges on the target network beyond basic LAN connectivity.
Once authenticated, the attacker gains full root-level access to the router, enabling them to modify network configurations, intercept traffic, install persistent backdoors, or pivot to other network devices.
Detection Methods for CVE-2025-68718
Indicators of Compromise
- Unexpected SSH or TELNET sessions originating from unknown LAN hosts to the router's management interface
- Authentication logs showing successful root logins from unauthorized IP addresses
- Configuration changes to routing tables, firewall rules, or DNS settings without administrator action
- Presence of unauthorized user accounts or modified system files on the router
Detection Strategies
- Monitor network traffic for SSH (port 22) and TELNET (port 23) connections to the router's LAN IP address
- Deploy network intrusion detection systems (IDS) with rules to alert on authentication attempts using known default credentials
- Implement network segmentation monitoring to detect lateral movement from compromised routers
- Review router logs regularly for successful authentication events from non-administrative hosts
Monitoring Recommendations
- Enable centralized logging for all network infrastructure devices and forward logs to a SIEM solution
- Configure alerts for any root-level authentication to network devices outside of scheduled maintenance windows
- Perform regular vulnerability scans of network infrastructure to identify devices with exposed management services
- Implement network access control to restrict which hosts can connect to router management interfaces
How to Mitigate CVE-2025-68718
Immediate Actions Required
- Implement network-level access controls (ACLs or firewall rules) to restrict SSH and TELNET access to the router from trusted management hosts only
- Segment the network to limit the number of hosts that have LAN adjacency to vulnerable routers
- Monitor for exploitation attempts and audit authentication logs for suspicious activity
- Contact KAYSUS support to inquire about firmware updates that address this vulnerability
Patch Information
No vendor patch information is currently available. Administrators should monitor the KAYSUS vendor website and the GitHub CVE repository for updates regarding this vulnerability.
Workarounds
- Deploy an upstream firewall or managed switch with ACLs to block SSH (port 22) and TELNET (port 23) traffic to the router from all hosts except authorized management stations
- Consider replacing affected devices with routers that allow credential management and service disabling
- Implement 802.1X network access control to limit which devices can connect to the LAN and potentially reach the vulnerable router
- Use network monitoring tools to alert on any SSH or TELNET connection attempts to the router
# Example: iptables rules on an upstream Linux gateway to restrict SSH/TELNET access
# Replace ROUTER_IP with the LAN IP of the vulnerable KAYSUS router
# Replace MGMT_HOST with the IP of your authorized management workstation
iptables -A FORWARD -d ROUTER_IP -p tcp --dport 22 -s MGMT_HOST -j ACCEPT
iptables -A FORWARD -d ROUTER_IP -p tcp --dport 23 -s MGMT_HOST -j ACCEPT
iptables -A FORWARD -d ROUTER_IP -p tcp --dport 22 -j DROP
iptables -A FORWARD -d ROUTER_IP -p tcp --dport 23 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
