CVE-2025-68716

HighLPE

Published: 08 January 2026

Published

08 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68716 is a high-severity Improper Access Control (CWE-284) vulnerability in Kaysus Ks-Wr3600 Firmware. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to External Remote Services (T1133) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly prohibits permitting root SSH access without identification or authentication on the LAN interface, addressing the core improper access control vulnerability.

IA-5 Authenticator Management good match

prevent

Requires changing default authenticators and ensuring sufficient strength, preventing the use of empty passwords on the root account for SSH.

AC-2 Account Management good match

prevent

Mandates proper management of accounts including disabling unnecessary privileges or securing root accounts, mitigating the default insecure root configuration.

MITRE ATT&CK Enterprise TechniquesAI

T1133 External Remote Services Persistence

Adversaries may leverage external-facing remote services to initially access and/or persist within a network.

attack.mitre.org →

T1021.004 SSH Lateral Movement

Adversaries may use [Valid Accounts](https://attack.

attack.mitre.org →

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Default-enabled unauthenticated SSH root access directly enables External Remote Services (T1133) and SSH remote access (T1021.004) via Default Accounts (T1078.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This…

allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges.

Deeper analysisAI

CVE-2025-68716 is a high-severity vulnerability in KAYSUS KS-WR3600 routers running firmware version 1.0.5.9.1. The issue arises from the SSH service being enabled by default on the LAN interface, with the root account configured without a password. Administrators cannot disable SSH or enforce authentication requirements through the CLI or web GUI, leading to improper access control. This is mapped to CWEs 284 (Improper Access Control), 306 (Missing Authentication for Critical Function), and 521 (Weak Password Requirements), with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A LAN-adjacent attacker can exploit this vulnerability with low attack complexity, no required privileges, and no user interaction. Exploitation provides trivial root shell access, enabling the execution of arbitrary commands with full privileges on the router.

Mitigation details and advisories are available in the following references: https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68716.txt, https://github.com/actuator/cve/tree/main/KAYSUS, and https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html.