CVE-2025-9725
BaseFortify
Publication date: 2025-08-31
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cudy | lt500e_firmware | to 2.3.13 (exc) |
| cudy | lt500e | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-255 | |
| CWE-259 | The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Cudy LT500E router firmware up to version 2.3.12 involves a hard-coded default password 'admin' stored in the device's /squashfs-root/etc/shadow file used by the web interface. The password is weakly hashed and can be decrypted, allowing an attacker with local access to gain unauthorized root access to the router's web interface and network services. The vulnerability requires local access and is difficult to exploit. It is fixed by upgrading to firmware version 2.3.13 or later, where the default password is removed and users must create a new password upon first login. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with local access to gain unauthorized root access to the router's web interface and other network services by using the default hard-coded password. This can lead to unauthorized control over the device, potentially compromising network security and confidentiality. However, the attack complexity is high and requires local access, limiting the risk to nearby attackers or those with physical or local network access. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the device is running Cudy LT500E firmware version up to 2.3.12 and if the default password 'admin' is still in use. Since the password is stored in the /squashfs-root/etc/shadow file using MD5-crypt hashing, tools like 'John the Ripper' can be used to attempt to decrypt the password hash to confirm if the default password is present. Commands to extract and test the password hash might include accessing the device locally, extracting the shadow file, and running John the Ripper against it. For example: 1) Access the device shell locally. 2) Extract the /etc/shadow file or its equivalent. 3) Use 'john --format=md5crypt shadowfile' to attempt password cracking. Detection requires local access due to the attack complexity and exploitability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Cudy LT500E router firmware to version 2.3.13 or later, where the default 'admin' password has been deprecated and no administrator password is set by default. After upgrading, ensure that a new administrator password of at least 8 characters is manually created upon first login to the web management interface. This upgrade eliminates the hard-coded password vulnerability and prevents unauthorized access. [2]