CVE-2025-70998
Insecure Default Telnet Credentials in UTT HiPER 810 Router
Publication date: 2026-02-18
Last updated on: 2026-02-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| utt | 810_firmware | 1.5.0-140603 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The UTT HiPER 810 / nv810v4 router firmware version v1.5.0-140603 contains a factory-default telnet backdoor that listens on a non-standard port 60023.
This backdoor uses default credentials (admin/admin) to grant remote root shell access to attackers.
It is activated by factory startup scripts located in a read-only partition, specifically the /etc_ro/rcS script, which runs the telnet daemon for debugging purposes.
The backdoor cannot be permanently disabled because upon reboot, the default admin root account is restored via the /sbin/internet.sh script.
This vulnerability allows remote attackers to gain full root access and completely compromise the device.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to gain full root access to the affected router without any user interaction.
With root access, the attacker can fully control the device, potentially intercepting, modifying, or redirecting network traffic.
The attacker could also use the compromised router as a foothold to launch further attacks within the network or to exfiltrate sensitive data.
Because the backdoor cannot be disabled permanently, the device remains vulnerable even after reboots.
Overall, this poses a critical security risk to the confidentiality, integrity, and availability of the network and connected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by scanning your network devices for an open telnet service running on the non-standard port 60023.'}, {'type': 'paragraph', 'content': 'Once the port is found open, you can attempt to connect using telnet with the default credentials (admin/admin) to verify if the backdoor is accessible.'}, {'type': 'list_item', 'content': 'Use a port scanning tool like nmap to scan for port 60023: nmap -p 60023 <target-ip>'}, {'type': 'list_item', 'content': 'Attempt to connect via telnet on port 60023: telnet <target-ip> 60023'}, {'type': 'list_item', 'content': "Try logging in with the default credentials: username 'admin' and password 'admin'"}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or blocking access to port 60023 on your network to prevent remote attackers from connecting to the telnet backdoor.
Since the backdoor cannot be permanently disabled due to the firmware restoring default credentials and services on reboot, consider isolating the affected device from untrusted networks.
If possible, replace or upgrade the device firmware to a version that does not contain this vulnerability or replace the device entirely.