CVE-2025-43986
Published: 13 August 2025
Summary
CVE-2025-43986 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Kuwfi (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and CM-7 (Least Functionality).
Deeper analysis
CVE-2025-43986, published on 2025-08-13, affects KuWFi GC111 devices running firmware version GC111-GL-LM321_V3.0_20191211. The vulnerability stems from the TELNET service being enabled by default and exposed over the WAN interface without authentication, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
Any unauthenticated attacker with network access to the device's WAN interface can exploit this vulnerability. By connecting directly to the exposed TELNET port, attackers can achieve high-impact unauthorized access, potentially obtaining sensitive information, executing arbitrary commands, modifying configurations, or disrupting device operations, leading to full confidentiality, integrity, and availability impacts.
Advisories and further details are available in the referenced GitHub repositories at https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-43986.txt and https://github.com/actuator/cve/tree/main/kuwfi, along with the product page at https://www.kuwfi.com/products/300mbps-industrial-router-cat4-4g-cpe-router-extender-strong-wifi-signal-suport-32wifi-users-with-sim-card-slot-95. No specific patch or mitigation guidance is detailed in the provided CVE information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24639
Vulnerability details
An issue was discovered on KuWFi GC111 GC111-GL-LM321_V3.0_20191211 devices. The TELNET service is enabled by default and exposed over the WAN interface without authentication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Default unauthenticated Telnet exposure on WAN directly enables External Remote Services (T1133) for initial access and command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates prohibiting unnecessary services like TELNET enabled by default, directly preventing exposure and exploitation.
Restricts public access to specific ports, protocols, and services such as unauthenticated TELNET on WAN interfaces.
Establishes authorization and usage restrictions for remote access mechanisms like exposed TELNET, preventing unauthorized connections.