CVE-2019-6725 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2019-6725?

CVE-2019-6725 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to access the rpWLANRedirect.asp page on affected ZyXEL routers, exposing the admin password in HTML source code. Attackers can then gain full administrative access to the modem interface. This affects ZyXEL P-660HN-T1 V2 routers running firmware version 2.00(AAKK.3).

📋 TL;DR

This vulnerability allows unauthenticated attackers to access the rpWLANRedirect.asp page on affected ZyXEL routers, exposing the admin password in HTML source code. Attackers can then gain full administrative access to the modem interface. This affects ZyXEL P-660HN-T1 V2 routers running firmware version 2.00(AAKK.3).

💻 Affected Systems

Products:

ZyXEL P-660HN-T1 V2

Versions: 2.00(AAKK.3)

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects this specific model and firmware version. The vulnerable page is accessible by default without any special configuration.

📦 What is this software?

P 660hn T1 Firmware by Zyxel

View all CVEs affecting P 660hn T1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with ability to change configurations, intercept traffic, install malware, or use as pivot point into internal network.

🟠

Likely Case

Unauthorized admin access leading to network configuration changes, DNS hijacking, or credential theft from connected devices.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and strong internal network segmentation.

🌐 Internet-Facing: HIGH - Directly accessible from internet if WAN interface exposed, allowing remote attackers to exploit without authentication.

🏢 Internal Only: HIGH - Even internally, any user on the network can exploit this without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web browser access to the vulnerable page. No special tools or skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check ZyXEL support for updated firmware

Vendor Advisory: https://www.zyxel.com/support/security_advisories.shtml

Restart Required: Yes

Instructions:

1. Check ZyXEL support site for firmware updates. 2. Download appropriate firmware for P-660HN-T1 V2. 3. Log into router admin interface. 4. Navigate to Maintenance > Firmware Upgrade. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Block access to vulnerable page

linux

Use firewall rules to block access to rpWLANRedirect.asp

iptables -A INPUT -p tcp --dport 80 -m string --string "rpWLANRedirect.asp" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "rpWLANRedirect.asp" --algo bm -j DROP

Disable remote administration

all

Turn off WAN access to admin interface

🧯 If You Can't Patch

Replace affected router with different model or vendor
Place router behind dedicated firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Access http://[router-ip]/rpWLANRedirect.asp without authentication. If page loads and contains admin password in source, device is vulnerable.

Check Version:

Log into router admin interface and check firmware version in Status or System Information page.

Verify Fix Applied:

Attempt to access rpWLANRedirect.asp without authentication - should receive authentication prompt or 404 error. Check source code no longer contains admin password.

📡 Detection & Monitoring

Log Indicators:

Access to rpWLANRedirect.asp from unauthenticated sources
Failed login attempts followed by successful admin access
Configuration changes from unexpected IP addresses

Network Indicators:

HTTP requests to /rpWLANRedirect.asp
Unusual admin interface access patterns
DNS configuration changes

SIEM Query:

source="router.log" AND (uri="/rpWLANRedirect.asp" OR (event="login" AND user="admin" AND src_ip NOT IN [trusted_ips]))

📊 Metadata

CVE ID: CVE-2019-6725

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: May 31, 2019

Last Updated: November 21, 2024

🔗 References

https://seclists.org/bugtraq/2019/May/78 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/May/78 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-6725, you might also want to check these: