CVE-2025-62773 identifies a hidden functionality vulnerability (CWE-912) in Mercku M6a routers through firmware version 2.1.0. The issue arises because the device firmware allows an administrator to enable TELNET sessions by sending a specific request: router.telnet.enabled.update. TELNET is an insecure protocol that transmits data in plaintext, and its unintended activation increases the attack surface by potentially exposing the device to network-based attacks. The vulnerability requires administrator privileges to exploit, meaning an attacker must already have elevated access to the device. The CVSS v3.1 score is 2.4 (low severity), reflecting the limited impact on confidentiality (none), integrity (low), and availability (none). The attack vector is adjacent network (AV:A), with low attack complexity (AC:L), and no user interaction (UI:N). No known exploits have been reported in the wild, and no patches have been published at the time of disclosure. The root cause is the presence of undocumented or hidden functionality that can be triggered by authorized users, which is a recognized security weakness under CWE-912. This vulnerability highlights the risks of hidden features that can be abused even by legitimate administrators, potentially leading to misconfigurations or expanded attack surfaces.

For European organizations using Mercku M6a devices, this vulnerability could lead to inadvertent or malicious enabling of TELNET access on routers, which is inherently insecure. While the vulnerability does not directly compromise confidentiality or availability, enabling TELNET could allow attackers with network access to intercept or manipulate router communications if they gain access through other means. This could facilitate lateral movement or reconnaissance within corporate networks. The requirement for administrator privileges limits the risk to insider threats or attackers who have already compromised administrative credentials. Organizations in sectors with strict network security requirements, such as finance, healthcare, or critical infrastructure, may face compliance risks if insecure protocols like TELNET are enabled. The lack of patches means organizations must rely on configuration management and monitoring to mitigate risk until vendor updates are available.

European organizations should implement strict access controls to limit administrative access to Mercku M6a devices, ensuring only trusted personnel can perform configuration changes. Network segmentation should be used to isolate management interfaces from general network traffic. Monitoring and alerting should be configured to detect any activation of TELNET services on these devices, including unusual router.telnet.enabled.update requests in logs or network traffic. Disable TELNET services if enabled, and prefer secure management protocols such as SSH. Regularly audit device configurations to ensure no hidden or undocumented features are active. Organizations should engage with Mercku for firmware updates and apply patches promptly once available. Additionally, consider deploying network intrusion detection systems (NIDS) to identify TELNET traffic and block unauthorized access attempts. Training administrators on the risks of hidden functionalities and secure configuration practices is also recommended.