CVE-2025-56009

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in KeeneticOS versions prior to 4.3 at the /rci API endpoint. The endpoint lacks any CSRF protections such as anti-CSRF tokens or content-type validation, making it possible for an attacker to perform state-changing operations on behalf of an authenticated user [1]. The affected route is the primary API used for device configuration.

Exploitation

Exploitation is straightforward: an attacker crafts a web page with an auto-submitting form that sends a POST request to /rci with enctype="text/plain". Despite the form's encoding type being text/plain, the request body contains valid JSON payload. The victim, while authenticated to their Keenetic device, visits the attacker's page, and the browser submits the request using the victim's session cookie, resulting in the attacker's desired action being executed [2].

Impact

By leveraging this CSRF, an attacker can add new users with full administrative privileges. The example payload from a public writeup creates a user named "test" with a password "123" and grants access to CLI, HTTP, IPsec, and other interfaces, as well as remote shell access. This effectively gives the attacker full control over the device [2].

Mitigation

Keenetic has addressed this issue in version 4.3 of KeeneticOS. Users are advised to update their devices to the latest firmware. There is no known workaround other than updating [1].