CVE-2025-68715

CRITICAL
2026-01-08 [email protected]
9.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 30, 2026 - 01:04 vuln.today
Public exploit code
CVE Published
Jan 08, 2026 - 20:15 nvd
CRITICAL 9.1

Tags

Denial Of Service Privilege Escalation Pwru01 Firmware

Description

An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modify WAN, LAN, and wireless settings directly, leading to privilege escalation and denial of service.

Analysis

Panda Wireless PWRU0 devices (firmware 2.2.9) expose WAN, LAN, and wireless configuration endpoints without authentication. Remote attackers can modify all network settings. PoC available.

Technical Context

Multiple configuration endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) do not enforce authentication (CWE-306). An attacker can modify WAN routing (redirect all traffic), LAN settings (DHCP poisoning), and wireless security (disable encryption).

Affected Products

Panda Wireless PWRU0 firmware 2.2.9

Remediation

Apply firmware updates when available. Restrict management interface to wired connections only.

Priority Score

66
Low Medium High Critical
KEV: 0
EPSS: +0.6
CVSS: +46
POC: +20

Share

CVE-2025-68715 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy