CVE-2025-68717

CriticalPublic PoC

Published: 08 January 2026

Published

08 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0016 35.9th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68717 is a critical-severity Improper Authentication (CWE-287) vulnerability in Kaysus Ks-Wr3600 Firmware. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, directly preventing authentication bypass via invalid or empty session values.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to resources, ensuring endpoints reject unauthenticated requests even if a legitimate user is logged in.

IA-11 Re-authentication partial match

prevent

IA-11 mandates re-authentication for privileged actions, mitigating bypass risks by requiring fresh validation beyond initial session establishment.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1602.002 Network Device Configuration Dump Collection

Adversaries may access network configuration files to collect sensitive data about the device and the network.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing router web interface (T1190) for authentication bypass, directly facilitating retrieval of sensitive configuration data (T1602.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw lets attackers piggyback on another user's…

active session to retrieve sensitive configuration data or execute privileged actions without authentication.

Deeper analysisAI

CVE-2025-68717 is an authentication bypass vulnerability in KAYSUS KS-WR3600 routers running firmware version 1.0.5.9.1. The issue stems from flawed session validation, where endpoints such as /cgi-bin/system-tool accept requests with empty or invalid session values if any legitimate user is logged in. This design flaw, classified as CWE-287 (Improper Authentication), carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating critical severity due to high impacts on confidentiality and integrity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By piggybacking on an active legitimate user's session, they can retrieve sensitive configuration data or execute privileged actions without authentication.

Advisories and additional details are available in the referenced sources, including https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68717.txt, https://github.com/actuator/cve/tree/main/KAYSUS, and the product page at https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html.