Cyber Resilience

CVE-2025-68717

CriticalPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0052 40.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-68717 is a critical-severity Improper Authentication (CWE-287) vulnerability in Kaysus Ks-Wr3600 Firmware. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2025-68717 is an authentication bypass vulnerability in KAYSUS KS-WR3600 routers running firmware version 1.0.5.9.1. The issue stems from flawed session validation, where endpoints such as /cgi-bin/system-tool accept requests with empty or invalid session values if any legitimate user is logged in. This design flaw, classified as CWE-287 (Improper Authentication), carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating critical severity due to high impacts on confidentiality and integrity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By piggybacking on an active legitimate user's session, they can retrieve sensitive configuration data or execute privileged actions without authentication.

Advisories and additional details are available in the referenced sources, including https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68717.txt, https://github.com/actuator/cve/tree/main/KAYSUS, and the product page at https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw lets attackers piggyback on another user's…

more

active session to retrieve sensitive configuration data or execute privileged actions without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1602.002 Network Device Configuration Dump Collection
Adversaries may access network configuration files to collect sensitive data about the device and the network.
Why these techniques?

CVE enables exploitation of public-facing router web interface (T1190) for authentication bypass, directly facilitating retrieval of sensitive configuration data (T1602.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68719Same product: Kaysus Ks-Wr3600
CVE-2025-68716Same product: Kaysus Ks-Wr3600
CVE-2024-57045Shared CWE-287
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287

Affected Assets

kaysus
ks-wr3600 firmware
1.0.5.9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, directly preventing authentication bypass via invalid or empty session values.

prevent

AC-3 enforces approved authorizations for access to resources, ensuring endpoints reject unauthenticated requests even if a legitimate user is logged in.

prevent

IA-11 mandates re-authentication for privileged actions, mitigating bypass risks by requiring fresh validation beyond initial session establishment.

References