CVE-2025-68716
Default-Enabled SSH with Root No-Password on KAYSUS KS-WR
Publication date: 2026-01-08
Last updated on: 2026-02-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kaysus | ks-wr3600 | 1.0.5.9.1 |
| kaysus | ks-wr3600_firmware | 1.0.5.9.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-521 | The product does not require that users should have strong passwords. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1, where the SSH service is enabled by default on the LAN interface. The root account has no password set, and administrators cannot disable SSH or enforce authentication through the CLI or web GUI. This allows any attacker with LAN access to easily gain root shell access and execute arbitrary commands with full privileges.
How can this vulnerability impact me? :
This vulnerability allows an attacker on the local network to gain root-level access to the router without any authentication. With full root privileges, the attacker can execute arbitrary commands, potentially compromising the entire network, intercepting or modifying traffic, disrupting services, or using the router as a foothold for further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the KAYSUS KS-WR3600 router is running firmware version 1.0.5.9.1 and if the SSH service is enabled on the LAN interface. Since the root account has no password and SSH cannot be disabled or secured, you can attempt to connect via SSH from the LAN side using a command like 'ssh root@<router_ip>' without a password prompt. Successful login without authentication indicates the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include isolating the affected router from untrusted LAN networks to prevent unauthorized SSH access, and if possible, replacing the device or firmware with a secure version. Since the SSH service cannot be disabled or secured via CLI or web GUI, network-level controls such as firewall rules blocking SSH access to the router from LAN devices should be implemented.