Cyber Resilience

CVE-2025-44643

High

Published: 04 August 2025

Published
04 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0029 53.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44643 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Draytek (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 46.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Certain Draytek products are affected by Insecure Configuration. This affects AP903 v1.4.18 and AP912C v1.4.9 and AP918R v1.4.9. The setting of the password property in the ripd.conf configuration file sets a hardcoded weak password, posing a security risk. An attacker…

more

with network access could exploit this to gain unauthorized control over the routing daemon, potentially altering network routes or intercepting traffic.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Draytek
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-276 CWE-798

A central authority can define and push correct default permissions, eliminating the common practice of leaving insecure defaults on individual hosts.

addresses: CWE-276 CWE-798

Administrator documentation on secure configuration and default settings prevents incorrect default permissions from remaining in place.

addresses: CWE-276

Access control policy can specify and enforce secure default permissions for resources.

addresses: CWE-276

Guides setting of default permissions to the minimum required level.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-276

Establishes requirements for appropriate default permissions on system resources as part of configuration management.

addresses: CWE-276

Baseline establishment and updates on install/upgrade ensure correct default permissions rather than insecure ones.

References