CVE-2025-0890
Published: 04 February 2025
Description
**UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so.
Security Summary
CVE-2025-0890 involves insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615. This vulnerability, marked as unsupported when assigned and associated with CWE-287 (Improper Authentication) and CWE-522 (Insufficiently Protected Credentials), enables an attacker to log in to the management interface if administrators have the option to change the default credentials but fail to do so. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its potential for high-impact network-based exploitation.
Any remote attacker with network access to the affected device can exploit this vulnerability with low complexity, requiring no privileges, authentication, or user interaction. Successful exploitation allows login to the management interface using the default credentials, granting high levels of confidentiality, integrity, and availability compromise, such as unauthorized control over the device.
Zyxel has issued a security advisory covering this insecure default credentials issue, along with command injection vulnerabilities, in certain legacy DSL CPE devices, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025.
Details
- CWE(s)