CVE-2025-65883

HighPublic PoC

Published: 04 December 2025

Published

04 December 2025

Modified

23 December 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 23.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65883 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Genexis Platinum 4410 Firmware. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-12 Session Termination good match

prevent

Directly mandates termination of user sessions upon logout, preventing reuse of stale session tokens by local attackers.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation via firmware patching to correct the improper session invalidation vulnerability.

SI-10 Information Input Validation partial match

prevent

Enforces input validation on the diagnostic endpoint to block crafted requests leading to RCE even with a reused session token.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Vulnerability enables unauthenticated attackers to exploit the router's diagnostic endpoint (T1190, T1210) for arbitrary root command execution via Unix shell (T1059.004) by reusing stale admin session tokens.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability has been identified in Genexis Platinum P4410 router (Firmware P4410-V2–1.41) that allows a local network attacker to achieve Remote Code Execution (RCE) with root privileges. The issue occurs due to improper session invalidation after administrator logout. When an…

administrator logs out, the session token remains valid. An attacker on the local network can reuse this stale token to send crafted requests via the router’s diagnostic endpoint, resulting in command execution as root.

Deeper analysisAI

CVE-2025-65883 affects the Genexis Platinum P4410 router running firmware version P4410-V2-1.41. The vulnerability arises from improper session invalidation after an administrator logs out, as classified under CWE-613. This issue enables a local network attacker to reuse the stale session token for remote code execution with root privileges by sending crafted requests to the router's diagnostic endpoint.

A local network attacker with no required privileges can exploit this vulnerability due to its low attack complexity and lack of need for user interaction. By leveraging the persistent session token post-logout, the attacker achieves arbitrary command execution as root on the device. The CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability.

Details on mitigation, including any patches or vendor advisories, can be found in the referenced write-up at https://0xw41th.medium.com/my-first-cve-cve-2025-65883-remote-code-execution-in-a-genexis-router-0c35749a99bd, published alongside the CVE on 2025-12-04.