The vulnerability identified as CVE-2025-68719 affects KAYSUS KS-WR3600 routers running firmware version 1.0.5.9.1. The core issue lies in improper handling of configuration management, specifically the backup endpoint that allows authenticated users to download a full configuration archive without additional authorization checks. Once an attacker has any valid user session, they can query this endpoint and retrieve the archive, which contains sensitive system files including /etc/shadow. The /etc/shadow file stores hashed passwords for system users, and access to it enables attackers to perform offline password cracking to recover credentials. With these credentials, attackers can escalate privileges, gain persistent access, and potentially fully compromise the router. This compromise can lead to interception or manipulation of network traffic, lateral movement within the network, and disruption of services. The vulnerability requires authentication and an active session but does not require administrative privileges, lowering the barrier for exploitation by insiders or users with limited access. No public exploits have been reported yet, and no official patches or firmware updates have been linked. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

For European organizations, this vulnerability poses a significant risk to network security and data confidentiality. Compromise of the KS-WR3600 routers could allow attackers to intercept sensitive communications, manipulate network traffic, or use the device as a foothold for deeper network penetration. Critical sectors such as government, finance, healthcare, and energy that rely on these routers for secure connectivity could face operational disruptions and data breaches. The exposure of /etc/shadow increases the likelihood of credential theft, enabling attackers to move laterally and escalate privileges within affected networks. Additionally, compromised routers could be used to launch further attacks such as distributed denial-of-service (DDoS) or as part of botnets. The requirement for an authenticated session means insider threats or compromised user accounts can be leveraged to exploit this vulnerability, increasing the attack surface. The absence of known exploits currently provides a window for mitigation, but the potential impact remains high given the sensitive nature of the data exposed and the critical role of routers in network infrastructure.

Organizations should immediately audit access controls on KAYSUS KS-WR3600 routers to ensure that only trusted users have login capabilities. Network segmentation should be employed to isolate management interfaces from general user networks and the internet. Access to the backup endpoint must be restricted using firewall rules or router configuration to prevent unauthorized queries. Strong session management practices, including short session timeouts and multi-factor authentication, should be implemented to reduce the risk of session hijacking or misuse. Monitoring and logging of router access and backup endpoint requests should be enhanced to detect suspicious activity. Organizations should engage with KAYSUS or their vendors to obtain firmware updates or patches addressing this vulnerability and apply them promptly once available. If patches are delayed, consider replacing vulnerable devices or disabling the backup functionality if feasible. Regular password audits and credential rotation for router accounts will help mitigate risks from leaked credentials. Finally, educating users about the risks of credential compromise and enforcing least privilege principles will reduce exploitation likelihood.