CVE-2025-29268 – ALLNET ALL-RUT22GW routers contain hardcoded cr... (How to Fix)

📋 TL;DR

ALLNET ALL-RUT22GW routers contain hardcoded credentials in the libicos.so library, allowing attackers to gain unauthorized access to the device. This affects all users of ALL-RUT22GW v3.3.8 routers, particularly those in industrial environments where these devices are commonly deployed.

💻 Affected Systems

Products:

ALLNET ALL-RUT22GW

Versions: v3.3.8

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the vulnerable firmware version are affected regardless of configuration.

📦 What is this software?

All Rut22gw Firmware by Allnet

View all CVEs affecting All Rut22gw Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept network traffic, modify configurations, install malware, pivot to internal networks, and disrupt industrial operations.

🟠

Likely Case

Unauthorized administrative access to the router leading to network monitoring, configuration changes, and potential lateral movement to connected systems.

🟢

If Mitigated

Limited impact if network segmentation prevents router access and strong perimeter controls are in place.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this if they can reach the router's management interface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Hardcoded credentials are trivial to extract and use once the library is analyzed. No authentication required to use the discovered credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates
2. Download latest firmware
3. Backup current configuration
4. Upload and install new firmware via web interface
5. Restart router
6. Restore configuration if needed

🔧 Temporary Workarounds

Network Segmentation

all

Isolate router management interface from untrusted networks

Access Control Lists

all

Restrict management interface access to trusted IP addresses only

🧯 If You Can't Patch

Replace affected devices with patched or alternative models
Implement network monitoring for unauthorized access attempts to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System > Firmware. If version is 3.3.8, device is vulnerable.

Check Version:

Login to router web interface and navigate to System > Firmware page

Verify Fix Applied:

Verify firmware version has been updated to a version later than 3.3.8 and attempt to authenticate with known hardcoded credentials (should fail).

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful login
Multiple login attempts from unusual IP addresses
Configuration changes from unexpected sources

Network Indicators:

Unusual traffic patterns from router
Management interface accessed from external IPs
Unexpected outbound connections from router

SIEM Query:

source="router_logs" AND (event_type="authentication" AND result="success") AND user="admin" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-29268

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

EPSS Score: 0.08% exploit probability (22.7th percentile)

Published: December 4, 2025

Last Updated: December 16, 2025

🔗 References

http://all-rut22gw.com Broken Link
http://allnet.com Broken Link
https://blog.byteray.co.uk/critical-vulnerabilities-in-rut22gw-industrial-lte-cellular-routers-f4eb8768feb7?gi=f74ff4eb9f22 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29268, you might also want to check these: