Home

Description

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an arbitrary address for domain name resolution to e.g. facililitate a man-in-the-middle (MitM) attack.

PUBLISHED Reserved 2025-04-15 | Published 2025-12-13 | Updated 2025-12-16 | Assigner DIVD




CRITICAL: 9.3CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H

Problem types

CWE-290 Authentication Bypass by Spoofing

Product status

Default status
unaffected

3.6.0.0 (semver)
affected

Credits

Hamid Rahmouni finder

Victor Pasman analyst

References

csirt.divd.nl/CVE-2025-36754/ third-party-advisory

cve.org (CVE-2025-36754)

nvd.nist.gov (CVE-2025-36754)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.