CVE-2025-7882
BaseFortify
Publication date: 2025-07-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercusys | mw301r | 1.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-799 | The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. |
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7882 is a vulnerability in the Mercusys MW301R router firmware version 1.0.2 Build 190726 Rel.59423n. It affects the login component by improperly restricting excessive authentication attempts. The router's brute-force protection relies only on tracking the source IP address to block login attempts after failures. An attacker on the local network can bypass this by changing their IP address, resetting the login attempt counter and enabling brute-force attacks on the admin login page. This allows the attacker to guess passwords without being blocked effectively. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker within your local network to perform brute-force attacks on your router's admin login page. Because the protection mechanism can be bypassed by changing IP addresses, the attacker can repeatedly attempt to guess the admin password, potentially gaining unauthorized access to your router. This compromises the integrity of your device and network security, possibly leading to further exploitation or unauthorized control of your network. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or repeated login attempts on the Mercusys MW301R router's admin interface from different local IP addresses in a short timeframe, indicating IP cycling to bypass brute-force protections. Since the attack is local and involves excessive authentication attempts, you can check router logs for multiple failed login attempts from varying IPs. Specific commands depend on the router's firmware capabilities, but generally, you can use network monitoring tools to capture traffic to the router's login port (usually HTTP/HTTPS) and analyze for repeated authentication failures. For example, using tcpdump or Wireshark on the local network to filter traffic to the router's IP and port 80 or 443, then reviewing logs for repeated login attempts from different IPs. However, no specific commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting local network access to the router's admin interface to trusted devices only, monitoring for suspicious login attempts, and considering replacing the affected Mercusys MW301R device with an alternative product, as no patches or official mitigations are available from the vendor. Additionally, implementing network segmentation to limit attacker access within the LAN can reduce risk. Since the vulnerability allows bypassing brute-force protections via IP address cycling, limiting the number of devices that can access the router's login page and enforcing strong passwords can help mitigate exploitation. [2]