CVE-2025-43983

KuWFi · CPF908-CP5

KuWFi CPF908-CP5 devices contain unauthenticated access control vulnerabilities in the goform/goform_set_cmd_process and goform/goform_get_cmd_process endpoints.

Executive summary

Critical unauthenticated access control vulnerabilities in KuWFi CPF908-CP5 devices could allow remote attackers to gain unauthorized control over device functions.

Vulnerability

The device fails to perform authentication checks on the /goform/goform_set_cmd_process and /goform/goform_get_cmd_process endpoints, allowing unauthorized users to interact with sensitive device command processes.

Business impact

The CVSS score of 9.1 underscores the severity of this access control failure. By bypassing authentication, attackers can manipulate device configurations or retrieve sensitive information, potentially resulting in a full compromise of the device's operational integrity and network security.

Remediation

Immediate Action: Update the firmware on affected CPF908-CP5 devices to the latest available version provided by the manufacturer.

Proactive Monitoring: Inspect web access logs for requests to the /goform/ directory originating from untrusted or external IP addresses.

Compensating Controls: Implement strict network segmentation to ensure that the administrative interface of these devices is not reachable from the public internet or untrusted network segments.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

The absence of authentication on core command-processing functions makes these devices highly susceptible to remote exploitation. Immediate firmware updates are required to enforce proper security controls and prevent unauthorized access.