CVE-2025-62774
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-10-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercku | m6a_router | 2.1.0 |
| openwrt | openwrt | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-331 | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62774 affects Mercku M6a routers running firmware version 2.1.0. The vulnerability involves predictable session tokens based on timestamps, which can be brute-forced to hijack sessions. Additionally, the router's web interface lacks proper CSRF protections, allowing an attacker on the local network to reset the admin password without consent. After gaining admin access, an attacker can enable a hidden telnet backdoor that provides root shell access, leading to full device control. The session tokens do not expire, allowing long-term unauthorized access. This chain of vulnerabilities enables remote code execution and persistent control over the router. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker on the local network to hijack your router's admin session or reset the admin password stealthily. Once admin access is obtained, the attacker can enable a hidden telnet backdoor to gain root shell access, giving them full control over your router. This includes intercepting network traffic, modifying router settings, executing arbitrary code, and moving laterally to other devices on your network. The persistent session tokens mean unauthorized access can last indefinitely, even after reboots. If remote management is enabled, attackers could potentially exploit this remotely, putting your home or business network security at severe risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for predictable session tokens in use on the Mercku M6a router, specifically tokens in the format 's{timestamp}'. You can attempt to brute-force session tokens by iterating over Unix timestamp values to find valid sessions. Additionally, monitoring for unexpected POST requests to the admin password change endpoint or to the hidden telnet backdoor API endpoint (http://192.168.127.1/web/advance/telnet or /app with method 'router.telnet.enabled.update') can indicate exploitation attempts. While no specific commands are provided, using network traffic analysis tools (e.g., Wireshark or tcpdump) to capture and inspect HTTP requests to these endpoints, and scripting brute-force attempts against session tokens using Python or similar, are suggested detection methods. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict local network access to the router's admin interface to trusted users only. 2) Disable remote management if enabled to prevent remote exploitation. 3) Monitor and block suspicious POST requests targeting the password change endpoint and the hidden telnet backdoor API. 4) Change the admin password manually to invalidate any hijacked sessions. 5) If possible, disable or block the hidden telnet backdoor endpoint. 6) Apply any available firmware patches from Mercku promptly once released. 7) Enforce network segmentation to limit attacker lateral movement if compromise occurs. [1]