CVE-2025-65753
Command Injection in Guardian Gryphon TLS Allows Root Access
Publication date: 2026-02-17
Last updated on: 2026-02-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gryphon | guardian | 01.06.0006.22 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65753 is a remote code execution vulnerability affecting Gryphon Guardian WiFi access points running firmware version 01.06.0006.22. The issue stems from improper TLS certificate validation when the device downloads a speedtest client from the internet.
Because the device accepts self-signed certificates without proper verification, an attacker can perform a man-in-the-middle (MitM) attack or DNS spoofing to intercept and manipulate the download.
This allows the attacker to inject malicious code into the speedtest client tarball, which the device then executes with root privileges, giving the attacker full control over the device.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to execute arbitrary commands with root privileges on the affected Gryphon Guardian device.
An attacker exploiting this flaw can gain full control over the device, potentially leading to unauthorized access to your network, interception of sensitive data, disruption of network services, and further compromise of connected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious TLS certificate validation failures or unexpected downloads of the speedtest client from the URL https://install.speedtest.net/app/cli/ookla-speedtest-1.2.0-linux-armhf.tgz. Since the attack involves man-in-the-middle (MitM) or DNS spoofing techniques, network traffic inspection tools can be used to detect anomalies.
Commands to help detect this vulnerability include:
- Use tcpdump or Wireshark to capture and analyze network traffic for suspicious TLS connections or DNS responses:
- tcpdump -i <interface> host install.speedtest.net and port 443
- Check for unexpected or self-signed TLS certificates during the download process.
- Use tools like openssl to manually verify the certificate of the speedtest client server:
- openssl s_client -connect install.speedtest.net:443
- Inspect the downloaded tarball for unexpected contents or modifications, for example by checking the hash or extracting and reviewing the files.
- Monitor the device for unexpected root shell activity or unusual processes, which may indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the device from downloading the speedtest client from untrusted sources and blocking man-in-the-middle or DNS spoofing attacks.
- Restrict network access to the legitimate speedtest client server by enforcing strict DNS and TLS validation.
- Implement network-level protections such as DNSSEC or secure DNS resolvers to prevent DNS spoofing.
- Use network segmentation or firewall rules to block unauthorized MitM attempts or suspicious traffic.
- Monitor and audit device logs for signs of exploitation or unexpected command execution.
- If possible, update the firmware of the Gryphon Guardian device to a version that patches this TLS certificate validation issue.