CVE-2025-25056

Vulnerability

Overview

CVE-2025-25056 is a cross-site request forgery (CSRF) vulnerability in the web-based management interface of Inaba Denki Sangyo's Wi-Fi AP UNIT 'AC-WPS-11ac series'. The vulnerability stems from insufficient CSRF protections, allowing an attacker to trick an authenticated user into executing unintended actions on the device. Affected models include AC-WPS-11ac, AC-WPS-11ac-P, AC-WPSM-11ac, AC-WPSM-11ac-P, AC-PD-WPS-11ac, and AC-PD-WPS-11ac-P running firmware version v2.0.03P or earlier [1].

Exploitation

Conditions

To exploit this vulnerability, an attacker must convince a user who is currently logged into the device's web interface to visit a malicious page or click a crafted link. The attacker does not require any prior authentication or network access beyond the ability to deliver the malicious content to the victim. The user's active session is then leveraged to perform unauthorized operations on the device [1].

Impact

Successful exploitation allows an attacker to perform unintended operations on the device, such as modifying configuration settings. According to the CVSS v3.1 score of 4.3 (Medium), the impact is limited to low integrity compromise; there is no direct impact on confidentiality or availability. This vulnerability is classified under CWE-352 [1].

Mitigation

Inaba Denki Sangyo has released firmware updates to address this vulnerability. Users are advised to update their devices to the latest available firmware version. No workarounds are documented; the vendor recommends applying the patch as the primary mitigation [1].