CVE-2025-62771
📋 TL;DR
Mercku M6a devices allow attackers to change administrator passwords via cross-site request forgery (CSRF) attacks when accessed from the local network. This vulnerability affects Mercku M6a router users who have not applied security patches. Attackers can exploit this to gain unauthorized access to router administration.
💻 Affected Systems
- Mercku M6a
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker on the local network could change the admin password, take full control of the router, reconfigure network settings, intercept traffic, or deploy malware to connected devices.
Likely Case
An attacker with local network access changes the admin password, locking out legitimate administrators and potentially redirecting DNS or modifying firewall rules.
If Mitigated
With proper network segmentation and access controls, the attack surface is limited to trusted internal users only.
🎯 Exploit Status
Exploitation requires the attacker to trick an authenticated admin into visiting a malicious webpage while on the local network.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: >2.1.0
Vendor Advisory: https://blog.nullvoid.me/posts/mercku-exploits/
Restart Required: Yes
Instructions:
1. Log into Mercku admin interface. 2. Check for firmware updates in System Settings. 3. Apply any available updates. 4. Reboot the device after update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Mercku M6a management interface to a dedicated VLAN with strict access controls.
Browser CSRF Protection
allUse browser extensions that block CSRF attempts or disable automatic form submission.
🧯 If You Can't Patch
- Restrict local network access to trusted devices only using MAC filtering or 802.1X authentication.
- Implement strict outbound web filtering to block malicious sites that could host CSRF payloads.
🔍 How to Verify
Check if Vulnerable:
Access Mercku admin interface, navigate to System Information, check firmware version. If version is 2.1.0 or earlier, device is vulnerable.Check Version:
curl -k https://[router-ip]/api/system/info | grep versionVerify Fix Applied:
After updating, verify firmware version is greater than 2.1.0 in System Information.📡 Detection & Monitoring
Log Indicators:
- Unexpected password change events in router logs
- Multiple failed login attempts followed by successful password reset
Network Indicators:
- HTTP POST requests to /api/user/password from unexpected internal IPs
- Unusual outbound traffic patterns after admin interface access
SIEM Query:
source="mercku-router" action="password_change" src_ip!=admin_workstation