CVE-2025-9725 is a vulnerability identified in the Cudy LT500E router firmware versions up to 2.3.12. The issue arises from the presence of a hard-coded default password ('admin') stored within the device's web interface component, specifically in an unknown function related to the /squashfs-root/etc/shadow file. This hard-coded password allows an attacker with local access to the device to potentially authenticate without authorization. The vulnerability requires local access to the device, and the attack complexity is rated as high, indicating that exploitation is not straightforward. The exploitability is difficult, and no user interaction is required once local access is obtained. The vendor has deprecated the use of this default password starting from firmware version 2.3.13, where the device no longer sets an administrator password by default and mandates the creation of a new password of at least 8 characters upon first login to the web management interface. The CVSS 4.0 score is low (2.0), reflecting limited impact and high attack complexity. No known exploits are currently in the wild, but public exploit code exists. The vulnerability primarily affects the confidentiality of the device's management interface, with no direct impact on integrity or availability reported. The scope is limited to local attackers with at least low privileges, and no network-based exploitation is indicated.

For European organizations, the impact of this vulnerability is generally limited but still significant in certain contexts. Organizations using Cudy LT500E routers in their internal networks could face unauthorized access risks if an attacker gains local access, such as through physical presence or compromised internal systems. This could lead to unauthorized configuration changes, exposure of network management data, or pivoting to other internal systems. However, since exploitation requires local access and has high complexity, the risk of widespread remote attacks is low. The confidentiality of device management credentials is at risk, which could undermine network security controls. In environments with less stringent physical security or where devices are deployed in accessible locations, the threat is more pronounced. European organizations in sectors with high security requirements (e.g., critical infrastructure, finance, healthcare) should be particularly cautious, as unauthorized access to network devices could have cascading effects on operational security and compliance with regulations such as GDPR and NIS Directive.

To mitigate this vulnerability, European organizations should prioritize upgrading all affected Cudy LT500E devices to firmware version 2.3.13 or later, where the hard-coded password is removed and password creation is enforced on first login. Network administrators should conduct an inventory to identify devices running vulnerable firmware versions. Physical security controls should be strengthened to prevent unauthorized local access to network devices. Additionally, organizations should implement network segmentation to isolate management interfaces from general user networks, reducing the risk of local attackers reaching these devices. Enabling logging and monitoring for unusual access attempts to the web management interface can help detect potential exploitation attempts. Where possible, disable or restrict local management access and use secure management protocols. Regularly reviewing and enforcing strong password policies for device management is essential. Finally, organizations should consider deploying endpoint security solutions to detect and prevent lateral movement that could lead to local access on these devices.