Description

CERT Polska has received a report about vulnerabilities in WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) routers and participated in coordination of their disclosure.

The vulnerability CVE-2025-65007: In WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of authentication in the configuration change module in the adm.cgi endpoint, the unauthenticated attacker can execute commands including backup creation, device restart and resetting the device to factory settings.

The vulnerability CVE-2025-65008: In WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands.

The vulnerability CVE-2025-65009: In WD-R608U router (also known as WDR122B V2.0 and WDR28) admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question.

The vulnerability CVE-2025-65010: WD-R608U router (also known as WDR122B V2.0 and WDR28) is vulnerable to Broken Access Control in initial configuration wizard.cgi endpoint. Malicious attacker can change admin panel password without authorization. The vulnerability can also be exploited after the initial configuration has been set.

The vulnerability CVE-2025-65011: In WD-R608U router (also known as WDR122B V2.0 and WDR28) an unauthorised user can view configuration files by directly referencing the resource in question.

The vendor was notified early about these vulnerabilities, but didn't respond with the details of vulnerabilities or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Credits

We thank Wojciech Cybowski for the responsible vulnerability report.