CVE-2025-9778
BaseFortify
Publication date: 2025-09-01
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | w12_firmware | 3.0.0.6\(3948\) |
| tenda | w12 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-259 | The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9778 is a security vulnerability in the Tenda W12 router series up to firmware version 3.0.0.6(3948). It involves hard-coded root user credentials stored in the file /etc_ro/shadow. The root password is embedded in the firmware, hashed with MD5-crypt, and can be cracked using tools like John the Ripper. This allows an attacker with local access to gain unauthorized root access to the device through the administrative interface or network services. The vulnerability is difficult to exploit due to the need for local access and high authentication complexity. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with local access to the device to gain unauthorized root-level control by exploiting the hard-coded credentials. This could lead to full control over the router, potentially compromising network security, intercepting or manipulating network traffic, and disrupting device functionality. However, exploitation is difficult and requires local access and elevated privileges. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the presence of the hard-coded root credentials in the /etc_ro/shadow file on the Tenda W12 device firmware up to version 3.0.0.6(3948). Since the root password is hard-coded and hashed with MD5-crypt, tools like John the Ripper can be used to verify if the password 'Fireitup' is present. Commands to extract and test the hash could include accessing the device locally, dumping the /etc_ro/shadow file, and running John the Ripper against it. For example: 1) Access the device shell locally. 2) Extract the hash from /etc_ro/shadow: `cat /etc_ro/shadow | grep root`. 3) Save the hash to a file, e.g., `hash.txt`. 4) Run John the Ripper: `john --format=md5crypt hash.txt`. Detection involves confirming if the cracked password matches the known hard-coded password 'Fireitup'. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected Tenda W12 device with an alternative product, as no known countermeasures or vendor-provided mitigations exist. Since the vulnerability requires local access and high authentication complexity, restricting physical or local access to the device can reduce risk. Monitoring for unauthorized local access attempts and limiting administrative interface access are also advisable. Firmware updates do not appear to fix this issue, so device replacement is recommended. [2]