Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2025-3758 and CVE-2025-3759) found in Netis Systems WF2220 software.
Analysis Summary
As a vulnerability research specialist, here is the summarized security advisory information for the identified flaws in Netis Systems WF2220 software.
***
# Vulnerability: Missing Authentication Flaws in Netis WF2220 Leading to Configuration Exposure and Unauthorized Changes
## CVE Details
- **CVE ID:** CVE-2025-3758
- **CVSS Score:** Not explicitly provided (Severity inferred as High due to cleartext credential leak)
- **CWE:** CWE-306 (Missing Authentication for Critical Function)
- **CVE ID:** CVE-2025-3759
- **CVSS Score:** Not explicitly provided (Severity inferred as High due to remote configuration change)
- **CWE:** CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products:** Netis Systems WF2220 software
- **Versions:** 1.2.31706
- **Configurations:** Standard installations of the affected firmware version.
## Vulnerability Description
The Netis Systems WF2220 software contains two distinct vulnerabilities, both stemming from a **Missing Authentication for Critical Function (CWE-306)**:
1. **CVE-2025-3758:** The endpoint `/cgi-bin-igd/netcore_get.cgi` is accessible without authorization. This endpoint unnecessarily returns the device's configuration data, which includes the **cleartext password**.
2. **CVE-2025-3759:** The endpoint `/cgi-bin-igd/netcore_set.cgi`, used for modifying device settings, is also accessible without requiring authentication. This allows an unauthenticated remote attacker to change critical device configurations (e.g., administrator password, AP password).
## Exploitation
- **Status:** PoC available (Implied by the public disclosure following the 90-day window, though not explicitly stated as public PoC)
- **Complexity:** Low (Given the unauthenticated nature of the endpoints)
- **Attack Vector:** Network (Remote exploitation possible)
## Impact
| Impact Metric | CVE-2025-3758 (Configuration Exposure) | CVE-2025-3759 (Unauthorized Configuration Change) |
| :--- | :--- | :--- |
| **Confidentiality** | High (Cleartext passwords exposed) | High (Sensitive configuration disclosure possible during modification attempts) |
| **Integrity** | Low | Critical (Ability to hijack administrative accounts or alter security settings) |
| **Availability** | Low | Medium (Disrupting service via misconfiguration) |
## Remediation
### Patches
- Vendor patch information was **not available** at the time of this summary; the vendor did not respond to the disclosure report. Users must monitor Netis Systems advisories for fixes addressing version 1.2.31706.
### Workarounds
- Since the vulnerabilities leverage unauthenticated access to specific CGI endpoints:
1. **Network Isolation:** Restrict management access to the WF2220 device interfaces only to trusted internal networks or block external WAN access to administrative ports.
2. If possible, disable/remove access to the exposed configuration endpoints via the device's firewall rules, if the firmware allows granular control over these services.
## Detection
- **Indicators of Compromise:** Look for unexpected changes in device passwords, configuration updates originating from unusual sources, or high volumes of traffic directed at `/cgi-bin-igd/netcore_get.cgi` and `/cgi-bin-igd/netcore_set.cgi`.
- **Detection Methods and Tools:** Network monitoring systems (IDS/IPS) can be configured to alert on HTTP/HTTPS requests targeting these specific URI paths on the router's management interface.
## References
- **Vendor Advisories:** None available/Vendor non-responsive.
- **Relevant Links:**
- CERT Polska Report: [https://cert.pl/en/cve/vulnerabilities-in-netis-systems-wf2220-software/](https://cert.pl/en/cve/vulnerabilities-in-netis-systems-wf2220-software/)
- CVE-2025-3758 Record: [https://www.cve.org/CVERecord?id=CVE-2025-3758](https://www.cve.org/CVERecord?id=CVE-2025-3758)
- CVE-2025-3759 Record: [https://www.cve.org/CVERecord?id=CVE-2025-3759](https://www.cve.org/CVERecord?id=CVE-2025-3759)