CVE-2025-65008
Command Injection in WODESYS WD-R608U Router via adm.cgi Endpoint
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wodesys | wd-r608u | wdr28081123ov1.01 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) is due to a lack of validation in the 'langGet' parameter within the adm.cgi endpoint. This flaw allows a malicious attacker to inject and execute arbitrary system shell commands on the device, leading to unauthorized command execution. It is classified as an OS Command Injection vulnerability (CWE-78). Only firmware version WDR28081123OV1.01 was tested and confirmed vulnerable, but other versions might also be affected. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary system shell commands on the affected router without any privileges or user interaction. This could lead to full compromise of the device, unauthorized access to the network, interception or manipulation of network traffic, disruption of network services, and potentially further attacks on connected systems. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the router's adm.cgi endpoint is accessible and if the langGet parameter is vulnerable to command injection. A common approach is to send crafted HTTP requests to the adm.cgi endpoint with payloads in the langGet parameter that attempt to execute system commands. For example, using curl to test command injection: curl -v 'http://<router-ip>/adm.cgi?langGet=;id' If the response contains output from the 'id' command, the device is vulnerable. Monitoring network traffic for unusual requests to adm.cgi with suspicious langGet parameters can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's web management interface (adm.cgi endpoint) by limiting it to trusted networks or IP addresses, disabling remote management if not needed, and monitoring for suspicious activity targeting the langGet parameter. Since the vendor has not provided patches or detailed version information beyond the tested vulnerable version WDR28081123OV1.01, consider upgrading to a newer firmware version if available or replacing the device with a secure alternative. Applying network-level protections such as firewall rules to block unauthorized access to the router's management interface is also recommended. [1]