Cyber Resilience

CVE-2025-25428

HighPublic PoC

Published: 28 February 2025

Published
28 February 2025
Modified
21 May 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 15.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25428 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability in Trendnet Tew-929Dru Firmware. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25428 is a hardcoded password vulnerability in the TRENDnet TEW-929DRU router running firmware version 1.0.0.10. The flaw exists in the /etc/shadow file, which contains a static password that permits unauthorized root login. This issue, classified under CWE-259 (Use of Hard-coded Password), was published on 2025-02-28 and carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete device compromise.

Attackers with adjacent network access (AV:A) and low privileges (PR:L), such as limited user access, can exploit this vulnerability with low complexity and no user interaction required. Upon successful authentication using the hardcoded password, attackers gain root privileges, enabling high-impact confidentiality breaches (e.g., data exfiltration), integrity violations (e.g., configuration changes), and availability disruptions (e.g., denial of service), effectively providing full control over the affected router.

Mitigation details are available in the referenced advisory at https://instinctive-acapella-fc7.notion.site/Trendnet-TEW-929DRU-Hardcoded-password-17815d9d4d2680d5a2becf32425d93fd, which documents the hardcoded password discovery in the TRENDnet TEW-929DRU.

EU & UK References

Vulnerability details

TRENDnet TEW-929DRU 1.0.0.10 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1078.003 Local Accounts Stealth
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

The hardcoded password in /etc/shadow allows attackers with low privileges to authenticate as root, enabling privilege escalation (T1068), use of local accounts (T1078.003), and exploitation of unsecured credentials in files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15136Same vendor: Trendnet
CVE-2025-70802Shared CWE-259
CVE-2026-5352Same vendor: Trendnet
CVE-2026-7607Same vendor: Trendnet
CVE-2025-15137Same vendor: Trendnet
CVE-2026-5349Same vendor: Trendnet
CVE-2024-57590Same vendor: Trendnet
CVE-2026-10061Same vendor: Trendnet
CVE-2026-5350Same vendor: Trendnet
CVE-2025-15139Same vendor: Trendnet

Affected Assets

trendnet
tew-929dru firmware
1.0.0.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires management of system authenticators including changing defaults, establishing strength, and protecting content to prevent hardcoded root passwords in files like /etc/shadow.

preventrecover

Mandates timely identification, reporting, prioritization, and remediation of flaws such as hardcoded passwords via firmware updates.

prevent

Enforces establishment and monitoring of secure configuration settings that prohibit hardcoded credentials in router firmware components.

References