CVE-2025-70998
Received Received - Intake
Insecure Default Telnet Credentials in UTT HiPER 810 Router

Publication date: 2026-02-18

Last updated on: 2026-02-19

Assigner: MITRE

Description
UTT HiPER 810 / nv810v4 router firmware v1.5.0-140603 was discovered to contain insecure default credentials for the telnet service, possibly allowing a remote attacker to gain root access via a crafted script.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70998
EUVD
EUVD-2025-207779
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
utt 810_firmware 1.5.0-140603
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The UTT HiPER 810 / nv810v4 router firmware version v1.5.0-140603 contains a factory-default telnet backdoor that listens on a non-standard port 60023.

This backdoor uses default credentials (admin/admin) to grant remote root shell access to attackers.

It is activated by factory startup scripts located in a read-only partition, specifically the /etc_ro/rcS script, which runs the telnet daemon for debugging purposes.

The backdoor cannot be permanently disabled because upon reboot, the default admin root account is restored via the /sbin/internet.sh script.

This vulnerability allows remote attackers to gain full root access and completely compromise the device.

Impact Analysis

This vulnerability allows a remote attacker to gain full root access to the affected router without any user interaction.

With root access, the attacker can fully control the device, potentially intercepting, modifying, or redirecting network traffic.

The attacker could also use the compromised router as a foothold to launch further attacks within the network or to exfiltrate sensitive data.

Because the backdoor cannot be disabled permanently, the device remains vulnerable even after reboots.

Overall, this poses a critical security risk to the confidentiality, integrity, and availability of the network and connected systems.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by scanning your network devices for an open telnet service running on the non-standard port 60023.'}, {'type': 'paragraph', 'content': 'Once the port is found open, you can attempt to connect using telnet with the default credentials (admin/admin) to verify if the backdoor is accessible.'}, {'type': 'list_item', 'content': 'Use a port scanning tool like nmap to scan for port 60023: nmap -p 60023 <target-ip>'}, {'type': 'list_item', 'content': 'Attempt to connect via telnet on port 60023: telnet <target-ip> 60023'}, {'type': 'list_item', 'content': "Try logging in with the default credentials: username 'admin' and password 'admin'"}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting or blocking access to port 60023 on your network to prevent remote attackers from connecting to the telnet backdoor.

Since the backdoor cannot be permanently disabled due to the firmware restoring default credentials and services on reboot, consider isolating the affected device from untrusted networks.

If possible, replace or upgrade the device firmware to a version that does not contain this vulnerability or replace the device entirely.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart