CVE-2025-65007
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute administrative commands on WODESYS WD-R608U routers (also known as WDR122B V2.0 and WDR28) via the adm.cgi endpoint. Attackers can create backups, restart devices, or reset routers to factory settings without authentication. All users of affected router models are potentially impacted.
💻 Affected Systems
- WODESYS WD-R608U
- WDR122B V2.0
- WDR28
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete network disruption through factory resets or persistent device reboots, potentially enabling further network compromise if combined with other vulnerabilities.
Likely Case
Service disruption through device restarts or configuration loss through factory resets, leading to network downtime.
If Mitigated
Limited impact if routers are behind firewalls with strict inbound filtering and not internet-facing.
🎯 Exploit Status
Exploitation requires simple HTTP requests to adm.cgi endpoint with specific parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Monitor vendor website for firmware updates.
🔧 Temporary Workarounds
Network Segmentation and Access Control
allRestrict access to router administration interface using firewall rules
Disable Remote Administration
allTurn off remote management features if enabled
🧯 If You Can't Patch
- Replace affected routers with different models from vendors with better security track records
- Place routers behind dedicated firewalls with strict inbound filtering rules
🔍 How to Verify
Check if Vulnerable:
Test HTTP POST requests to /adm.cgi endpoint with administrative commands without authenticationCheck Version:
Check router web interface or use nmap/router scanning tools to identify firmware versionVerify Fix Applied:
Verify firmware version is updated beyond vulnerable version and test authentication requirements for adm.cgi endpoint📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to /adm.cgi
- Unexpected device reboots or factory resets
- Backup file creation without user action
Network Indicators:
- HTTP traffic to router IP on port 80/443 containing adm.cgi in URL
- Unusual administrative command patterns from external IPs
SIEM Query:
source_ip NOT IN internal_ips AND dest_port IN (80,443) AND url_path CONTAINS 'adm.cgi'