CVE-2025-26006
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on Telesquare TLR-2005KSH routers by exploiting a buffer overflow in the admin.cgi endpoint. Attackers can gain full control of affected devices, potentially compromising network security. Only Telesquare TLR-2005KSH routers running version 1.1.4 are affected.
💻 Affected Systems
- Telesquare TLR-2005KSH
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover leading to persistent backdoor installation, network traffic interception, lateral movement to other systems, and use as botnet node.
Likely Case
Remote code execution allowing attacker to modify device configuration, steal credentials, or use device for DDoS attacks.
If Mitigated
Limited impact if device is behind firewall with strict inbound rules and network segmentation.
🎯 Exploit Status
Public GitHub repository contains proof-of-concept exploit. Simple HTTP request triggers vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None found
Restart Required: No
Instructions:
No official patch available. Contact Telesquare support for firmware updates. Consider replacing device if no patch forthcoming.
🔧 Temporary Workarounds
Disable Web Management Interface
allDisable HTTP/HTTPS management interface if not required for operations
Access device CLI via SSH/Telnet
Navigate to management settings
Disable web interface
Restrict Management Access
allLimit access to management interface to specific trusted IP addresses
Configure firewall rules to restrict access to device IP:80/443
Use ACLs if supported by device
🧯 If You Can't Patch
- Isolate device in separate VLAN with strict firewall rules
- Monitor network traffic for exploit attempts and unusual outbound connections
🔍 How to Verify
Check if Vulnerable:
Check device web interface for version information. If version is 1.1.4, device is vulnerable.Check Version:
curl -s http://[device-ip]/ | grep -i version or check web interface login pageVerify Fix Applied:
No official fix available. Verify workarounds by testing that web interface is inaccessible or restricted.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /admin.cgi with setAutorest parameter
- Large payloads in HTTP requests
- Device reboot or service restart logs
Network Indicators:
- HTTP POST requests to /admin.cgi endpoint
- Unusual outbound connections from device
- Traffic spikes from device
SIEM Query:
source="router-logs" AND uri="/admin.cgi" AND (param="setAutorest" OR size>1000)