CVE-2025-9778
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in Tenda W12 up to 3.0.0.6(3948). Affected is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. The manipulation leads to hard-coded credentials. An attack has to be approached locally. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-01
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9778
EUVD
EUVD-2025-26339
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tenda w12_firmware 3.0.0.6\(3948\)
tenda w12 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9778 is a security vulnerability in the Tenda W12 router series up to firmware version 3.0.0.6(3948). It involves hard-coded root user credentials stored in the file /etc_ro/shadow. The root password is embedded in the firmware, hashed with MD5-crypt, and can be cracked using tools like John the Ripper. This allows an attacker with local access to gain unauthorized root access to the device through the administrative interface or network services. The vulnerability is difficult to exploit due to the need for local access and high authentication complexity. [1, 2]

Impact Analysis

This vulnerability can allow an attacker with local access to the device to gain unauthorized root-level control by exploiting the hard-coded credentials. This could lead to full control over the router, potentially compromising network security, intercepting or manipulating network traffic, and disrupting device functionality. However, exploitation is difficult and requires local access and elevated privileges. [1, 2]

Detection Guidance

This vulnerability can be detected by checking the presence of the hard-coded root credentials in the /etc_ro/shadow file on the Tenda W12 device firmware up to version 3.0.0.6(3948). Since the root password is hard-coded and hashed with MD5-crypt, tools like John the Ripper can be used to verify if the password 'Fireitup' is present. Commands to extract and test the hash could include accessing the device locally, dumping the /etc_ro/shadow file, and running John the Ripper against it. For example: 1) Access the device shell locally. 2) Extract the hash from /etc_ro/shadow: `cat /etc_ro/shadow | grep root`. 3) Save the hash to a file, e.g., `hash.txt`. 4) Run John the Ripper: `john --format=md5crypt hash.txt`. Detection involves confirming if the cracked password matches the known hard-coded password 'Fireitup'. [1]

Mitigation Strategies

Immediate mitigation steps include replacing the affected Tenda W12 device with an alternative product, as no known countermeasures or vendor-provided mitigations exist. Since the vulnerability requires local access and high authentication complexity, restricting physical or local access to the device can reduce risk. Monitoring for unauthorized local access attempts and limiting administrative interface access are also advisable. Firmware updates do not appear to fix this issue, so device replacement is recommended. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart