CVE-2025-68717

CriticalPublic PoC

Published: 08 January 2026

Published

08 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0015 34.9th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw lets attackers piggyback on another user's…

active session to retrieve sensitive configuration data or execute privileged actions without authentication.

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, directly preventing authentication bypass via invalid or empty session values.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to resources, ensuring endpoints reject unauthenticated requests even if a legitimate user is logged in.

IA-11 Re-authentication partial match

prevent

IA-11 mandates re-authentication for privileged actions, mitigating bypass risks by requiring fresh validation beyond initial session establishment.

Security SummaryAI

CVE-2025-68717 is an authentication bypass vulnerability in KAYSUS KS-WR3600 routers running firmware version 1.0.5.9.1. The issue stems from flawed session validation, where endpoints such as /cgi-bin/system-tool accept requests with empty or invalid session values if any legitimate user is logged in. This design flaw, classified as CWE-287 (Improper Authentication), carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating critical severity due to high impacts on confidentiality and integrity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By piggybacking on an active legitimate user's session, they can retrieve sensitive configuration data or execute privileged actions without authentication.

Advisories and additional details are available in the referenced sources, including https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68717.txt, https://github.com/actuator/cve/tree/main/KAYSUS, and the product page at https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html.

Details

CWE(s): CWE-287

Affected Products

kaysus

ks-wr3600 firmware

1.0.5.9.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1602.002 Network Device Configuration Dump Collection

Adversaries may access network configuration files to collect sensitive data about the device and the network.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing router web interface (T1190) for authentication bypass, directly facilitating retrieval of sensitive configuration data (T1602.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68717.txt
Third Party Advisory · cve@mitre.org
https://github.com/actuator/cve/tree/main/KAYSUS
Exploit · cve@mitre.org
https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html
Product · cve@mitre.org