CVE-2025-3758 | THREATINT

Description

WF2220 exposes endpoint /cgi-bin-igd/netcore_get.cgi that returns configuration of the device to unauthorized users. Returned configuration includes cleartext password. The vendor was contacted early about this disclosure but did not respond in any way.

PUBLISHED Reserved 2025-04-17 | Published 2025-05-08 | Updated 2025-10-03 | Assigner CERT-PL

HIGH: 8.7CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

CWE-256 Plaintext Storage of a Password

Product status

Default status

unknown

1.2.31706

affected

Credits

Kamil Szczurowski finder

References

cert.pl/posts/2025/05/CVE-2025-3758 third-party-advisory

cert.pl/en/posts/2025/05/CVE-2025-3758 third-party-advisory

cve.org (CVE-2025-3758)

nvd.nist.gov (CVE-2025-3758)

Download JSON