CVE-2025-7072
📋 TL;DR
This CVE describes a critical vulnerability in KAON CG3000TC and CG3000T routers where hard-coded credentials are embedded in the firmware in clear text. These credentials are shared across all routers of these models, allowing unauthenticated remote attackers to gain root access and execute arbitrary commands. All users of affected router models with vulnerable firmware versions are at risk.
💻 Affected Systems
- KAON CG3000TC
- KAON CG3000T
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router with root access, allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use the router as part of botnets or for launching further attacks.
Likely Case
Attackers gain administrative control of the router, enabling them to modify DNS settings, redirect traffic, steal credentials, and monitor all network communications passing through the device.
If Mitigated
If routers are behind firewalls with strict inbound filtering and network segmentation, the attack surface is reduced, though internal threats may still exist if attackers gain initial access through other means.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it involves using known hard-coded credentials. No special tools or advanced techniques are required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.00.67 for CG3000TC, 1.00.27 for CG3000T
Vendor Advisory: https://cert.pl/posts/2026/01/CVE-2025-7072/
Restart Required: Yes
Instructions:
1. Identify your router model (CG3000TC or CG3000T). 2. Download the appropriate firmware update from KAON's official website. 3. Access the router's web interface. 4. Navigate to the firmware update section. 5. Upload and apply the firmware file. 6. Wait for the router to reboot automatically. 7. Verify the firmware version has been updated.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to router management interfaces using firewall rules to only allow connections from trusted IP addresses.
Change Default Credentials
allWhile this doesn't fix the hard-coded credentials issue, changing any user-configurable credentials adds an additional layer of security.
🧯 If You Can't Patch
- Replace affected routers with different models that don't have this vulnerability
- Isolate routers in a dedicated network segment with strict firewall rules limiting both inbound and outbound traffic
🔍 How to Verify
Check if Vulnerable:
Check your router's firmware version via the web interface. If it's below 1.00.67 for CG3000TC or below 1.00.27 for CG3000T, you are vulnerable.Check Version:
Access router web interface and navigate to System Status or About section to view firmware version.Verify Fix Applied:
After updating, verify the firmware version shows 1.00.67 or higher for CG3000TC, or 1.00.27 or higher for CG3000T in the router's web interface.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login
- Unusual administrative access from unexpected IP addresses
- Configuration changes made outside of normal maintenance windows
Network Indicators:
- Unexpected outbound connections from router to suspicious IPs
- DNS queries to malicious domains
- Traffic redirection to unexpected destinations
SIEM Query:
source="router_logs" AND (event_type="authentication" AND result="success" AND user="admin") OR (event_type="configuration_change" AND user!="authorized_user")