CVE-2025-56007

Vulnerability

CVE-2025-56007 is a CRLF injection vulnerability in the /auth API endpoint of KeeneticOS versions before 4.3. The endpoint accepts a hidden url parameter that, when provided, sets the Location header for redirecting authenticated users. However, the server does not sanitize the parameter, allowing an attacker to inject CRLF sequences (%0d%0a or %0a) to insert arbitrary HTTP headers and body content into the response [2].

Exploitation

An attacker can craft a malicious link that, when visited by an authenticated victim, triggers the injection. By starting the payload with %0a, the attacker can suppress the redirect and set the Content-Type header to text/html, then inject arbitrary HTML and JavaScript. The final payload takes the form: /auth?url=%0aContent-Type:text/html%0a%0a [2]. The victim must be logged into the router's admin panel for the exploit to succeed, but no other authentication is required from the attacker.

Impact

Successful exploitation results in reflected XSS within the router's administrative interface. An attacker can then execute arbitrary JavaScript in the context of the admin session, enabling full device takeover. This includes adding new users with administrative privileges, modifying network settings, or exfiltrating sensitive data [1][2].

Mitigation

Keenetic has addressed this vulnerability in KeeneticOS version 4.3 and later. Users are strongly advised to update their firmware to the latest version. No workarounds are available for unpatched versions [1].