CVE-2025-65008: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in WODESYS WD-R608U
In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
AI Analysis
Technical Summary
CVE-2025-65008 is an OS command injection vulnerability classified under CWE-78, affecting the WODESYS WD-R608U router series, including models WDR122B V2.0 and WDR28. The vulnerability is due to insufficient input validation of the 'langGet' parameter in the adm.cgi endpoint, which is accessible remotely. An attacker can exploit this flaw by crafting malicious requests that inject arbitrary shell commands, leading to full system compromise. The vulnerability requires no authentication or user interaction, significantly increasing its exploitability. The only confirmed vulnerable firmware version is WDR28081123OV1.01, but the lack of vendor response and testing on other versions suggests a broader impact. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates that the attack can be performed remotely over the network with low complexity and no privileges, resulting in high confidentiality, integrity, and availability impacts. The absence of patches or mitigation guidance from the vendor exacerbates the risk. Although no exploits have been observed in the wild, the vulnerability's nature makes it a prime target for attackers aiming to gain control over network infrastructure devices.
Potential Impact
For European organizations, this vulnerability poses a severe threat to network security and operational continuity. Exploitation can lead to unauthorized access, data exfiltration, manipulation or destruction of data, and disruption of network services. Given that routers are critical infrastructure components, compromise could facilitate lateral movement within networks, enabling attackers to target sensitive systems or launch further attacks. Industrial, governmental, and enterprise sectors relying on WODESYS routers may face operational downtime, financial losses, and reputational damage. The lack of vendor patches increases the window of exposure, and the vulnerability's ease of exploitation means even low-skilled attackers could leverage it. Additionally, the potential for attackers to install persistent backdoors or malware could have long-term security implications. European data protection regulations (e.g., GDPR) may also impose legal consequences if breaches occur due to this vulnerability.
Mitigation Recommendations
1. Immediately isolate affected WODESYS WD-R608U routers from untrusted networks, especially the internet, to prevent remote exploitation. 2. Disable remote administration interfaces or restrict access to trusted IP addresses only. 3. Implement strict network segmentation to limit the router's access to critical internal systems. 4. Monitor network traffic and device logs for unusual or unauthorized commands targeting the adm.cgi endpoint or the 'langGet' parameter. 5. Conduct thorough inventory and firmware version audits to identify all potentially vulnerable devices. 6. Engage with WODESYS or authorized vendors to request firmware updates or patches; if unavailable, consider replacing affected hardware with secure alternatives. 7. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection attempts. 8. Educate network administrators about this vulnerability and enforce strong operational security practices. 9. Prepare incident response plans specifically addressing potential exploitation scenarios involving network infrastructure devices.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium
CVE-2025-65008: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in WODESYS WD-R608U
Description
In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
AI-Powered Analysis
Technical Analysis
CVE-2025-65008 is an OS command injection vulnerability classified under CWE-78, affecting the WODESYS WD-R608U router series, including models WDR122B V2.0 and WDR28. The vulnerability is due to insufficient input validation of the 'langGet' parameter in the adm.cgi endpoint, which is accessible remotely. An attacker can exploit this flaw by crafting malicious requests that inject arbitrary shell commands, leading to full system compromise. The vulnerability requires no authentication or user interaction, significantly increasing its exploitability. The only confirmed vulnerable firmware version is WDR28081123OV1.01, but the lack of vendor response and testing on other versions suggests a broader impact. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates that the attack can be performed remotely over the network with low complexity and no privileges, resulting in high confidentiality, integrity, and availability impacts. The absence of patches or mitigation guidance from the vendor exacerbates the risk. Although no exploits have been observed in the wild, the vulnerability's nature makes it a prime target for attackers aiming to gain control over network infrastructure devices.
Potential Impact
For European organizations, this vulnerability poses a severe threat to network security and operational continuity. Exploitation can lead to unauthorized access, data exfiltration, manipulation or destruction of data, and disruption of network services. Given that routers are critical infrastructure components, compromise could facilitate lateral movement within networks, enabling attackers to target sensitive systems or launch further attacks. Industrial, governmental, and enterprise sectors relying on WODESYS routers may face operational downtime, financial losses, and reputational damage. The lack of vendor patches increases the window of exposure, and the vulnerability's ease of exploitation means even low-skilled attackers could leverage it. Additionally, the potential for attackers to install persistent backdoors or malware could have long-term security implications. European data protection regulations (e.g., GDPR) may also impose legal consequences if breaches occur due to this vulnerability.
Mitigation Recommendations
1. Immediately isolate affected WODESYS WD-R608U routers from untrusted networks, especially the internet, to prevent remote exploitation. 2. Disable remote administration interfaces or restrict access to trusted IP addresses only. 3. Implement strict network segmentation to limit the router's access to critical internal systems. 4. Monitor network traffic and device logs for unusual or unauthorized commands targeting the adm.cgi endpoint or the 'langGet' parameter. 5. Conduct thorough inventory and firmware version audits to identify all potentially vulnerable devices. 6. Engage with WODESYS or authorized vendors to request firmware updates or patches; if unavailable, consider replacing affected hardware with secure alternatives. 7. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection attempts. 8. Educate network administrators about this vulnerability and enforce strong operational security practices. 9. Prepare incident response plans specifically addressing potential exploitation scenarios involving network infrastructure devices.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2025-11-13T09:42:15.301Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69441d2f4eb3efac369421ab
Added to database: 12/18/2025, 3:26:39 PM
Last enriched: 12/25/2025, 4:31:35 PM
Last updated: 2/6/2026, 5:56:31 AM
Views: 63
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1991: NULL Pointer Dereference in libuvc
MediumCVE-2026-1990: NULL Pointer Dereference in oatpp
MediumCVE-2026-1979: Use After Free in mruby
MediumCVE-2026-1978: Direct Request in kalyan02 NanoCMS
MediumCVE-2026-25698
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.