KeeneticOS
CVE-2025-56008
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Cross site scripting (XSS) vulnerability in KeeneticOS before 4.3 at "Wireless ISP" page allows attackers located near to the router to takeover the device via adding additional users with full permissions.
AnalysisAI
Stored cross-site scripting on the KeeneticOS 'Wireless ISP' page enables a physically proximate attacker to compromise a Keenetic router by injecting a malicious payload-likely via a crafted nearby wireless network name (SSID)-that executes in an authenticated administrator's browser session. Successful exploitation allows the attacker to create additional users with full administrative permissions, resulting in complete device takeover. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS probability stands at 0.03%, indicating limited current exploitation activity.
Technical ContextAI
KeeneticOS is the proprietary firmware powering Keenetic routers (CPE: cpe:2.3:o:keenetic:keeneticos:*:*:*:*:*:*:*:*). The 'Wireless ISP' page is a router administration feature that scans and displays nearby wireless networks for use as an upstream Internet source. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that data from an external source-almost certainly a malicious SSID broadcast by an attacker's nearby access point-is rendered unsanitized in the web administration interface. Because the router reflects externally-sourced wireless scan data without escaping, the attacker controls the injected content without needing any credentials on the device itself. The scope change (S:C in the CVSS vector) correctly models that the injected script executes within the victim's browser session, which holds authenticated access to the router management plane.
RemediationAI
Upgrade KeeneticOS to version 4.3 or later, which addresses this vulnerability per the Keenetic security advisory at https://keenetic.com/global/security#october-2025-web-api-vulnerabilities. Until patching is possible, a concrete compensating control is to disable or avoid using the 'Wireless ISP' (WISP) feature entirely-if the router does not use a wireless upstream connection, this page and its scan data will not be rendered, eliminating the injection surface; note this mitigation removes WISP functionality. Additionally, restricting access to the router's web administration interface to trusted wired LAN segments or a dedicated management VLAN reduces the likelihood of an administrator browsing the vulnerable page while an attacker's malicious AP is in range. Administrators should also audit existing user accounts for any unauthorized accounts with elevated privileges as an indicator of prior compromise.
More in Keeneticos
View allCRLF injection in KeeneticOS before version 4.3 enables full device takeover by exploiting the /auth API endpoint to inj
Cross-site request forgery in KeeneticOS before version 4.3 allows remote attackers to take over Keenetic routers by for
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today