CVE-2025-56009
📋 TL;DR
This CSRF vulnerability in KeeneticOS allows attackers to add new administrative users with full permissions by tricking authenticated users into visiting a malicious webpage. It affects Keenetic routers running vulnerable firmware versions. Attackers could gain complete control over the router if exploited successfully.
💻 Affected Systems
- Keenetic routers
📦 What is this software?
Keeneticos by Keenetic
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover with attacker gaining administrative access, allowing them to reconfigure network settings, intercept traffic, or use the device as a pivot point into the internal network.
Likely Case
Unauthorized administrative user creation leading to persistent backdoor access to the router management interface.
If Mitigated
Limited impact if CSRF protections are implemented or if users don't visit malicious sites while authenticated.
🎯 Exploit Status
Requires social engineering to get authenticated user to visit malicious page. Exploit would involve crafting a CSRF payload targeting the /rci endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: KeeneticOS 4.3 or later
Vendor Advisory: https://keenetic.com/global/security#october-2025-web-api-vulnerabilities
Restart Required: No
Instructions:
1. Log into Keenetic router admin interface. 2. Navigate to System > Firmware Update. 3. Check for and install KeeneticOS 4.3 or later. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Enable CSRF Protection
allImplement anti-CSRF tokens on the /rci API endpoint if supported by custom configuration.
Restrict API Access
allLimit access to the /rci endpoint to trusted IP addresses only through firewall rules.
🧯 If You Can't Patch
- Log out of router admin interface when not actively managing the device
- Use browser extensions that block CSRF attacks or implement same-origin policy enforcement
🔍 How to Verify
Check if Vulnerable:
Check current KeeneticOS version via admin interface: System > About. If version is below 4.3, device is vulnerable.Check Version:
No CLI command - check via web interface at System > AboutVerify Fix Applied:
After updating, verify version is 4.3 or higher in System > About. Test /rci endpoint with CSRF payload simulation if possible.📡 Detection & Monitoring
Log Indicators:
- Unexpected user creation events in system logs
- Multiple failed login attempts followed by successful user creation
- API calls to /rci endpoint from unusual sources
Network Indicators:
- HTTP POST requests to /rci endpoint with user creation parameters
- Traffic patterns suggesting CSRF exploitation
SIEM Query:
source="keenetic" AND (uri_path="/rci" AND method="POST" AND (params CONTAINS "add_user" OR params CONTAINS "user_create"))