CVE-2025-44887 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected FW-WGS-804HPT devices via a stack overflow in the web_radiusSrv_post function. Attackers can exploit this by sending specially crafted requests to the radIpkey parameter. Organizations using FW-WGS-804HPT v1.305b241111 are affected.

💻 Affected Systems

Products:

FW-WGS-804HPT

Versions: v1.305b241111

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web interface's RADIUS server configuration function

📦 What is this software?

Wgs 804hpt Firmware by Planet

View all CVEs affecting Wgs 804hpt Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to device takeover, network pivoting, and persistent backdoor installation

🟠

Likely Case

Remote code execution allowing attackers to modify device configuration, intercept network traffic, or launch attacks against internal systems

🟢

If Mitigated

Denial of service or limited information disclosure if exploit attempts are detected and blocked

🌐 Internet-Facing: HIGH - The vulnerability is in a web interface function and can be exploited remotely without authentication

🏢 Internal Only: HIGH - Even internally, the vulnerability allows complete device compromise

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Detailed technical analysis and proof-of-concept are publicly available in the reference link

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

1. Check vendor website for firmware updates
2. If update available, download and verify checksum
3. Backup current configuration
4. Upload new firmware through web interface
5. Restore configuration if needed

🔧 Temporary Workarounds

Disable RADIUS server functionality

all

Disable the RADIUS server feature if not required

Network segmentation and access control

linux

Restrict access to device web interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Isolate affected devices in a separate VLAN with strict network controls
Implement WAF or reverse proxy to filter malicious requests to the web interface

🔍 How to Verify

Check if Vulnerable:

Check device firmware version in web interface under System > Firmware

Check Version:

curl -s http://device-ip/status | grep -i version

Verify Fix Applied:

Verify firmware version is no longer v1.305b241111

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /web_radiusSrv_post
Large payloads sent to radIpkey parameter
Device crash or restart logs

Network Indicators:

HTTP POST requests with oversized radIpkey parameter values
Traffic to device web interface from unexpected sources

SIEM Query:

source="device_logs" AND (uri="/web_radiusSrv_post" OR parameter="radIpkey") AND size>1000

📊 Metadata

CVE ID: CVE-2025-44887

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

EPSS Score: 0.15% exploit probability (35.1th percentile)

Published: May 20, 2025

Last Updated: May 29, 2025

🔗 References

https://lafdrew.github.io/2025/04/20/web-radiusSrv-post-radIp/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44887, you might also want to check these: