CVE-2025-65008

Name of the Vulnerable Software and Affected Versions WODESYS WD-R608U router versions prior to WDR28081123OV1.01 WODESYS WDR122B V2.0 (affected versions not specified) WODESYS WDR28 (affected versions not specified)

Description A lack of input validation in the langGet parameter of the /adm.cgi API endpoint allows for the execution of system shell commands. The vendor was notified but did not provide details regarding vulnerable version ranges. Testing confirmed that version WDR28081123OV1.01 is vulnerable, and other versions may also be affected.

Recommendations Update to version WDR28081123OV1.01 or later. Restrict access to the /adm.cgi endpoint. Sanitize the langGet parameter to prevent command injection.