Login Sign Up

CVE-2025-2921

6.4 MEDIUM
Authentication Bypass

📋 TL;DR

A critical vulnerability in Netis WF-2404 routers allows attackers to exploit a default password issue via manipulation of the /etc/passwd file using 'Realtek' input. This affects physical Netis WF-2404 routers running version 1.1.124EN, potentially allowing unauthorized access to the device.

💻 Affected Systems

Products:
  • Netis WF-2404
Versions: 1.1.124EN
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects physical devices; requires physical access or network access to exploit.

📦 What is this software?

Netis Wf 2404 Firmware by Netis Systems

View all CVEs affecting Netis Wf 2404 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept network traffic, modify configurations, install malware, or use the device as a pivot point into the internal network.

🟠

Likely Case

Unauthorized administrative access to the router leading to network configuration changes, DNS hijacking, or credential theft from connected devices.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent lateral movement from the compromised router.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Exploit requires physical device access or network proximity; exploit details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: None

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure.

🔧 Temporary Workarounds

Change Default Credentials

all

Immediately change all default passwords on the router, especially administrative credentials.

Disable Unnecessary Services

all

Turn off any unnecessary network services and interfaces to reduce attack surface.

🧯 If You Can't Patch

  • Replace affected routers with different models from vendors that provide security updates
  • Isolate affected routers in a separate VLAN with strict firewall rules limiting their network access

🔍 How to Verify

Check if Vulnerable:

Check router web interface or console for firmware version 1.1.124EN. Attempt to access /etc/passwd with 'Realtek' manipulation if possible.

Check Version:

Check router admin interface under System Status or similar section for firmware version.

Verify Fix Applied:

Verify that default passwords have been changed and test that the exploit no longer works.

📡 Detection & Monitoring

Log Indicators:

  • Unusual login attempts to router admin interface
  • Configuration changes from unexpected sources
  • Access to /etc/passwd file

Network Indicators:

  • Unexpected traffic from router to external IPs
  • DNS queries to suspicious domains from router

SIEM Query:

Search for authentication events from router IP with default credentials or failed login patterns.

📊 Metadata

CVE ID: CVE-2025-2921
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1393
EPSS Score: 0.08% exploit probability (24.1th percentile)
Published: March 28, 2025
Last Updated: April 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2921, you might also want to check these:

CVE-2023-32090 9.8

Pega Platform versions 6.1 through 7.3.1 contain default operator credentials that could allow attac...

Same vulnerability type (CWE-1393)
CVE-2026-24429 9.8

This vulnerability allows attackers to use hardcoded default credentials to gain administrative acce...

Same vulnerability type (CWE-1393)
CVE-2024-30802 9.8

This vulnerability in Vehicle Management System 7.31.0.3_20230412 allows attackers to escalate privi...

Same vulnerability type (CWE-1393)