CVE-2025-68719

HighPublic PoC

Published: 08 January 2026

Published

08 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 22.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68719 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Kaysus Ks-Wr3600 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique /etc/passwd and /etc/shadow (T1003.008); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to /etc/passwd and /etc/shadow (T1003.008). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent low-privileged authenticated sessions from accessing and downloading sensitive configuration archives via the backup endpoint.

AC-6 Least Privilege good match

prevent

Limits privileges of any authenticated user to exclude access to full configuration backups containing sensitive files like /etc/shadow.

SI-2 Flaw Remediation good match

prevent

Remediates the firmware flaw in configuration management by applying patches or updates to block unauthorized archive downloads.

MITRE ATT&CK Enterprise TechniquesAI

T1003.008 /etc/passwd and /etc/shadow Credential Access

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking.

attack.mitre.org →

Why these techniques?

Vulnerability directly exposes /etc/shadow via unauthorized config archive download, enabling OS credential dumping of hashed passwords.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such…

as /etc/shadow, enabling credential recovery and potential full compromise of the device.

Deeper analysisAI

CVE-2025-68719 is a vulnerability in KAYSUS KS-WR3600 routers running firmware version 1.0.5.9.1, stemming from improper configuration management (CWE-200, CWE-552). The issue allows an attacker to directly query the backup endpoint and download a full configuration archive once any user maintains an active login session. This archive contains sensitive files, including /etc/shadow, which exposes hashed credentials.

The attack requires network access (AV:N), low attack complexity (AC:L), low privileges (PR:L such as any authenticated user session), and no user interaction (UI:N), with an unchanged scope (S:U). Exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), scoring 8.8 on CVSS 3.1. An attacker can recover credentials from the archive, leading to potential full compromise of the device.

Advisories and further details are available in the referenced repositories at https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68719.txt and https://github.com/actuator/cve/tree/main/KAYSUS, along with the product page at https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html. No specific patch or mitigation guidance is provided in the CVE description.