CVE 9.4 CRITICAL

OS Command Injection in WODESYS WD-R608U router_CVE-2025-65008

December 18, 2025 invoker category_cve

9.4 / 10

CRITICAL

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AI Analysis

OS Command Injection vulnerability in WODESYS WD-R608U router due to lack of validation in the langGet parameter in the adm.cgi endpoint, allowing malicious attackers to execute system shell commands.

Basic Information

ID CVE-2025-65008

Source CERT-PL

Published Dec 18, 2025 at 15:10

Affected Product

Vendor WODESYS

Product WD-R608U

Version WDR28081123OV1.01

Affected Versions WODESYS WD-R608U WDR28081123OV1.01
WODESYS WDR28 WDR28081123OV1.01
WODESYS WDR122B V2.0 WDR28081123OV1.01

CWE Classification

CWE-78

AI Assessment

AI Score 9.4 / 10

AI Severity Critical

Vendor WODESYS

Product WD-R608U

Version WDR28081123OV1.01

References

{
    "lastseen": "",
    "description": "In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.",
    "published": "2025-12-18T15:10:27.392Z",
    "modified": "2025-12-18T15:10:27.392Z",
    "type": "cve",
    "title": "OS Command Injection in WODESYS WD-R608U router",
    "source": "CERT-PL",
    "references": "http://www.wodesys.com/eproductms52.html\nhttps://cert.pl/en/posts/2025/12/CVE-2025-65007\nhttps://github.com/wcyb/security_research",
    "id": "CVE-2025-65008",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "WODESYS WD-R608U WDR28081123OV1.01\nWODESYS WDR28 WDR28081123OV1.01\nWODESYS WDR122B V2.0 WDR28081123OV1.01",
    "sourceHref": "",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WD-R608U",
    "version": "WDR28081123OV1.01",
    "vendor": "WODESYS",
    "ai_description": "OS Command Injection vulnerability in WODESYS WD-R608U router due to lack of validation in the langGet parameter in the adm.cgi endpoint, allowing malicious attackers to execute system shell commands.",
    "ai_severity": "Critical",
    "ai_vendor": "WODESYS",
    "ai_product": "WD-R608U",
    "ai_version": "WDR28081123OV1.01",
    "ai_score": 9.4
}

💭 Join the Security Discussion ❌ Cancel Reply