CVE-2025-65007 identifies a critical security vulnerability in the WODESYS WD-R608U router series, specifically confirmed in firmware version WDR28081123OV1.01. The root cause is a missing authentication mechanism in the configuration change module accessible via the adm.cgi endpoint. This flaw allows an unauthenticated attacker to remotely execute sensitive commands without any user interaction or privileges. Commands that can be executed include creating device backups, restarting the router, and resetting it to factory defaults, which can lead to denial of service or loss of configuration integrity. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), indicating that critical functions are exposed without proper access controls. The CVSS v4.0 score of 8.7 (high severity) reflects the ease of exploitation (attack vector: adjacent network), no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. The vendor was notified early but has not disclosed detailed affected version ranges or provided patches, complicating mitigation efforts. No known exploits have been reported in the wild yet, but the vulnerability presents a significant risk to any organization using the affected devices. The lack of authentication on a management interface accessible over the network is a serious security oversight, potentially allowing attackers to disrupt network operations or gain persistent control over the device.

For European organizations, this vulnerability poses a substantial risk to network stability and security. Exploitation can lead to denial of service through device restarts or factory resets, causing operational downtime and potential loss of network connectivity. The ability to create backups without authentication may expose sensitive configuration data, risking confidentiality breaches. Critical infrastructure operators, enterprises, and service providers using WODESYS WD-R608U routers could face disruptions impacting business continuity and service availability. The absence of authentication also increases the risk of lateral movement within networks if attackers gain footholds via these devices. Given the router's role in network management, compromised devices could be leveraged for further attacks or espionage. The lack of vendor patches exacerbates the threat, forcing organizations to rely on network-level mitigations or device replacement. The vulnerability's high severity and ease of exploitation make it a priority concern for cybersecurity teams in Europe, especially in sectors with stringent regulatory requirements for network security and uptime.

1. Immediately restrict access to the adm.cgi management interface by implementing strict network segmentation and firewall rules, allowing only trusted administrative hosts to connect. 2. Disable remote management features on the WD-R608U routers if not strictly necessary, or restrict them to secure VPN connections. 3. Monitor network traffic for unusual requests targeting the adm.cgi endpoint, and set up alerts for suspicious activities such as repeated unauthenticated commands. 4. Conduct an inventory to identify all deployed WODESYS WD-R608U routers and verify firmware versions; prioritize remediation for confirmed vulnerable devices. 5. Engage with the vendor for updates or patches and subscribe to security advisories for any forthcoming fixes. 6. Where possible, replace vulnerable devices with alternative routers that have robust authentication and security controls. 7. Implement multi-factor authentication and strong password policies on all network devices to reduce the risk of exploitation through other vectors. 8. Regularly back up device configurations securely to enable rapid recovery if a device is compromised or reset. 9. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability. 10. Educate network administrators about the risks and signs of exploitation related to this vulnerability to enhance incident response readiness.