CVE-2025-62774
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-10-22

Assigner: MITRE

Description
On Mercku M6a devices through 2.1.0, the authentication system uses predictable session tokens based on timestamps.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-10-22
Generated
2026-06-16
AI Q&A
2025-10-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62774
EUVD
EUVD-2025-35313
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mercku m6a_router 2.1.0
openwrt openwrt *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-331 The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62774 affects Mercku M6a routers running firmware version 2.1.0. The vulnerability involves predictable session tokens based on timestamps, which can be brute-forced to hijack sessions. Additionally, the router's web interface lacks proper CSRF protections, allowing an attacker on the local network to reset the admin password without consent. After gaining admin access, an attacker can enable a hidden telnet backdoor that provides root shell access, leading to full device control. The session tokens do not expire, allowing long-term unauthorized access. This chain of vulnerabilities enables remote code execution and persistent control over the router. [1]

Impact Analysis

This vulnerability can allow an attacker on the local network to hijack your router's admin session or reset the admin password stealthily. Once admin access is obtained, the attacker can enable a hidden telnet backdoor to gain root shell access, giving them full control over your router. This includes intercepting network traffic, modifying router settings, executing arbitrary code, and moving laterally to other devices on your network. The persistent session tokens mean unauthorized access can last indefinitely, even after reboots. If remote management is enabled, attackers could potentially exploit this remotely, putting your home or business network security at severe risk. [1]

Detection Guidance

This vulnerability can be detected by checking for predictable session tokens in use on the Mercku M6a router, specifically tokens in the format 's{timestamp}'. You can attempt to brute-force session tokens by iterating over Unix timestamp values to find valid sessions. Additionally, monitoring for unexpected POST requests to the admin password change endpoint or to the hidden telnet backdoor API endpoint (http://192.168.127.1/web/advance/telnet or /app with method 'router.telnet.enabled.update') can indicate exploitation attempts. While no specific commands are provided, using network traffic analysis tools (e.g., Wireshark or tcpdump) to capture and inspect HTTP requests to these endpoints, and scripting brute-force attempts against session tokens using Python or similar, are suggested detection methods. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Restrict local network access to the router's admin interface to trusted users only. 2) Disable remote management if enabled to prevent remote exploitation. 3) Monitor and block suspicious POST requests targeting the password change endpoint and the hidden telnet backdoor API. 4) Change the admin password manually to invalidate any hijacked sessions. 5) If possible, disable or block the hidden telnet backdoor endpoint. 6) Apply any available firmware patches from Mercku promptly once released. 7) Enforce network segmentation to limit attacker lateral movement if compromise occurs. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart