CVE-2025-65010
📋 TL;DR
The WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) has a broken access control vulnerability in the initial configuration wizard.cgi endpoint. This allows unauthorized attackers to change the admin panel password, potentially taking full control of the router. All users of these router models are affected, particularly those with internet-facing devices.
💻 Affected Systems
- WODESYS WD-R608U
- WDR122B V2.0
- WDR28
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete router compromise allowing attacker to intercept all network traffic, modify DNS settings, install malware, and use the router as a pivot point into the internal network.
Likely Case
Unauthorized administrative access leading to network monitoring, credential theft, and potential man-in-the-middle attacks against connected devices.
If Mitigated
Limited impact if router is behind firewall with restricted WAN access, though internal threats remain possible.
🎯 Exploit Status
Exploitation requires simple HTTP requests to wizard.cgi endpoint. Public research and GitHub references indicate exploit details are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None provided
Restart Required: No
Instructions:
No official patch available. Vendor was notified but has not responded with remediation details.
🔧 Temporary Workarounds
Disable WAN access to admin interface
allConfigure firewall to block external access to router admin interface (typically port 80/443)
Change default admin credentials
allUse strong, unique admin password different from default
🧯 If You Can't Patch
- Replace vulnerable routers with supported models from different vendors
- Place routers behind dedicated firewall with strict ingress filtering
🔍 How to Verify
Check if Vulnerable:
Test by attempting to access wizard.cgi endpoint without authentication and observing if password change is possible. Check router web interface for version information.Check Version:
Check router web interface admin panel or use command: telnet [router_ip] 80 then GET / HTTP/1.0 to check headersVerify Fix Applied:
No official fix available to verify. If vendor releases update, verify version number matches patched version.📡 Detection & Monitoring
Log Indicators:
- Unusual access to wizard.cgi endpoint
- Multiple failed login attempts followed by successful admin password change
- Admin password change from unexpected IP addresses
Network Indicators:
- HTTP POST requests to wizard.cgi containing password change parameters from unauthorized sources
- Unusual traffic patterns from router to external IPs
SIEM Query:
source="router_logs" AND (uri="*wizard.cgi*" OR event="password_change") AND src_ip NOT IN (authorized_admin_ips)