CVE-2025-9725 is a vulnerability identified in the Cudy LT500E router firmware versions up to 2.3.12. The issue arises from the presence of a hard-coded default password ('admin') stored within the device's web interface component, specifically in the /squashfs-root/etc/shadow file. This password allows local attackers with limited privileges to potentially gain unauthorized access to the device's management interface. The vulnerability requires local access to the device, and exploitation complexity is considered high due to the need for physical or local network access and the difficulty in leveraging the hard-coded password effectively. The vendor has deprecated this default password starting with firmware version 2.3.13, which enforces the creation of a unique administrator password of at least 8 characters upon first login, thereby mitigating the risk. The CVSS 4.0 base score is 2.0, indicating a low severity level, primarily because the attack vector is local, requires high complexity, and has limited impact on confidentiality, integrity, and availability. No known exploits are currently active in the wild, but public exploit code exists, which could increase risk if local access is obtained. The vulnerability highlights the risks associated with hard-coded credentials in embedded devices, which can serve as an entry point for further network compromise if not addressed.

For European organizations, the impact of this vulnerability is generally low but context-dependent. Since exploitation requires local access, the threat is mainly relevant in environments where attackers can physically access devices or gain local network access, such as in poorly secured office spaces, shared facilities, or through insider threats. If exploited, an attacker could gain administrative control over the affected router, potentially allowing them to alter network configurations, intercept or redirect traffic, or create persistent backdoors. This could lead to confidentiality breaches or network disruptions. However, the limited exploitability and requirement for local access reduce the likelihood of widespread impact. Organizations with remote or distributed workforces using Cudy LT500E devices in less controlled environments may face higher risks. Additionally, sectors with high security requirements, such as critical infrastructure or government entities, should consider the potential for targeted attacks leveraging this vulnerability as part of a broader attack chain.

European organizations should prioritize upgrading all Cudy LT500E devices to firmware version 2.3.13 or later, which removes the hard-coded default password and enforces secure password creation. Network administrators should conduct an inventory to identify affected devices and apply patches promptly. In environments where immediate firmware updates are not feasible, organizations should restrict physical and local network access to these devices, implementing strict access controls and monitoring. Disabling or limiting web interface access to trusted management networks and using network segmentation can reduce exposure. Additionally, organizations should enforce strong password policies and consider implementing multi-factor authentication if supported. Regular audits of device configurations and logs can help detect unauthorized access attempts. Training staff on the risks of default credentials and the importance of secure device management is also recommended to prevent exploitation via social engineering or insider threats.