| CVE ID | CVE-2025-3758 |
| Publication date | 08 May 2025 |
| Vendor | Netis Systems |
| Product | WF2220 |
| Vulnerable versions | 1.2.31706 |
| Vulnerability type (CWE) | Missing Authentication for Critical Function (CWE-306) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-3759 |
| Publication date | 08 May 2025 |
| Vendor | Netis Systems |
| Product | WF2220 |
| Vulnerable versions | 1.2.31706 |
| Vulnerability type (CWE) | Missing Authentication for Critical Function (CWE-306) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in Netis Systems WF2220 software and participated in coordination of their disclosure.
The vulnerability CVE-2025-3758: WF2220 exposes endpoint /cgi-bin-igd/netcore_get.cgi that returns configuration of the device to unauthorized users. Returned configuration includes cleartext password.
The vulnerability CVE-2025-3759: Endpoint /cgi-bin-igd/netcore_set.cgi which is used for changing device configuration is accessible without authentication. This poses a significant security threat allowing for e.g: administrator account hijacking or AP password changing.
We have not received a response from the vendor, therefore, in accordance with our policy, we are publishing the entries 90 days after the first contact attempt.
Credits
We thank Kamil Szczurowski for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.