CVE-2025-43983
KuWFi · CPF908-CP5
KuWFi CPF908-CP5 devices contain unauthenticated access control vulnerabilities in the goform/goform_set_cmd_process and goform/goform_get_cmd_process endpoints.
Executive summary
Critical unauthenticated access control vulnerabilities in KuWFi CPF908-CP5 devices could allow remote attackers to gain unauthorized control over device functions.
Vulnerability
The device fails to perform authentication checks on the /goform/goform_set_cmd_process and /goform/goform_get_cmd_process endpoints, allowing unauthorized users to interact with sensitive device command processes.
Business impact
The CVSS score of 9.1 underscores the severity of this access control failure. By bypassing authentication, attackers can manipulate device configurations or retrieve sensitive information, potentially resulting in a full compromise of the device's operational integrity and network security.
Remediation
Immediate Action: Update the firmware on affected CPF908-CP5 devices to the latest available version provided by the manufacturer.
Proactive Monitoring: Inspect web access logs for requests to the /goform/ directory originating from untrusted or external IP addresses.
Compensating Controls: Implement strict network segmentation to ensure that the administrative interface of these devices is not reachable from the public internet or untrusted network segments.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
The absence of authentication on core command-processing functions makes these devices highly susceptible to remote exploitation. Immediate firmware updates are required to enforce proper security controls and prevent unauthorized access.