CVE-2025-65753
Received Received - Intake
Command Injection in Guardian Gryphon TLS Allows Root Access

Publication date: 2026-02-17

Last updated on: 2026-02-19

Assigner: MITRE

Description
An issue in the TLS certification mechanism of Guardian Gryphon v01.06.0006.22 allows attackers to execute commands as root.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-17
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-65753
EUVD
EUVD-2025-207824
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gryphon guardian 01.06.0006.22
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-65753 is a remote code execution vulnerability affecting Gryphon Guardian WiFi access points running firmware version 01.06.0006.22. The issue stems from improper TLS certificate validation when the device downloads a speedtest client from the internet.

Because the device accepts self-signed certificates without proper verification, an attacker can perform a man-in-the-middle (MitM) attack or DNS spoofing to intercept and manipulate the download.

This allows the attacker to inject malicious code into the speedtest client tarball, which the device then executes with root privileges, giving the attacker full control over the device.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to execute arbitrary commands with root privileges on the affected Gryphon Guardian device.

An attacker exploiting this flaw can gain full control over the device, potentially leading to unauthorized access to your network, interception of sensitive data, disruption of network services, and further compromise of connected systems.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for suspicious TLS certificate validation failures or unexpected downloads of the speedtest client from the URL https://install.speedtest.net/app/cli/ookla-speedtest-1.2.0-linux-armhf.tgz. Since the attack involves man-in-the-middle (MitM) or DNS spoofing techniques, network traffic inspection tools can be used to detect anomalies.

Commands to help detect this vulnerability include:

  • Use tcpdump or Wireshark to capture and analyze network traffic for suspicious TLS connections or DNS responses:
  • tcpdump -i <interface> host install.speedtest.net and port 443
  • Check for unexpected or self-signed TLS certificates during the download process.
  • Use tools like openssl to manually verify the certificate of the speedtest client server:
  • openssl s_client -connect install.speedtest.net:443
  • Inspect the downloaded tarball for unexpected contents or modifications, for example by checking the hash or extracting and reviewing the files.
  • Monitor the device for unexpected root shell activity or unusual processes, which may indicate exploitation.
Mitigation Strategies

Immediate mitigation steps include preventing the device from downloading the speedtest client from untrusted sources and blocking man-in-the-middle or DNS spoofing attacks.

  • Restrict network access to the legitimate speedtest client server by enforcing strict DNS and TLS validation.
  • Implement network-level protections such as DNSSEC or secure DNS resolvers to prevent DNS spoofing.
  • Use network segmentation or firewall rules to block unauthorized MitM attempts or suspicious traffic.
  • Monitor and audit device logs for signs of exploitation or unexpected command execution.
  • If possible, update the firmware of the Gryphon Guardian device to a version that patches this TLS certificate validation issue.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65753. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart