Skip to main content

KeeneticOS CVE-2025-56009

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-10-23 cve@mitre.org
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 20:33 vuln.today

DescriptionCVE.org

Cross site request forgery (CSRF) vulnerability in KeeneticOS before 4.3 at "/rci" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page with exploit.

AnalysisAI

Cross-site request forgery in KeeneticOS before version 4.3 allows remote attackers to take over Keenetic routers by forging authenticated requests to the /rci (Remote Configuration Interface) API endpoint, resulting in the creation of unauthorized full-permission admin accounts. The attack requires tricking a currently-authenticated router administrator into visiting a malicious page, giving attackers persistent full-device control without needing credentials of their own. No public exploitation confirmed in CISA KEV, but a public researcher writeup is available on GitHub; EPSS stands at 0.02% (7th percentile), suggesting exploitation remains limited at time of analysis.

Technical ContextAI

KeeneticOS is the proprietary firmware running on Keenetic-brand routers (CPE: cpe:2.3:o:keenetic:keeneticos:*:*:*:*:*:*:*:*). The /rci endpoint is the router's Remote Configuration Interface - a web API used to manage device settings including user account administration. CWE-352 (Cross-Site Request Forgery) arises when a web application accepts state-changing requests without validating that they originate from the authenticated session holder rather than a third-party origin. In this case, the /rci endpoint appears to lack CSRF token validation or same-origin enforcement, allowing a malicious third-party page to submit forged administrative requests that the router processes as legitimate because the victim's browser automatically attaches valid session cookies.

RemediationAI

The primary remediation is to upgrade to KeeneticOS 4.3 or later, which resolves the CSRF vulnerability in the /rci API endpoint per the vendor's October 2025 security advisory at https://keenetic.com/global/security#october-2025-web-api-vulnerabilities. If an immediate upgrade is not feasible, administrators should implement strict session hygiene: log out of the router admin interface before general web browsing, and use a dedicated browser profile or device exclusively for router administration - this eliminates the live session cookies CSRF requires. Disabling internet-facing remote management (WAN-side access to the admin UI) removes network-reachable attack surface for external adversaries, though it does not protect against LAN-side exploitation when an admin browses a malicious page internally. Note that session isolation mitigations require consistent user behavior and are operationally fragile compared to patching.

Share

CVE-2025-56009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy