PatchSiren cyber security CVE debrief

CVE-2025-56007 Keenetic CVE debrief

CVE-2025-56007 describes a CRLF-injection issue in KeeneticOS before 4.3 at the /auth API endpoint. According to the supplied CVE description, an attacker can abuse a victim’s browser interaction with a crafted page to create additional users with full permissions and take over the device. NVD lists the issue as CVSS 3.1 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

Vendor: Keenetic
Product: KeeneticOS
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-10-23
Original CVE updated: 2026-05-20
Advisory published: 2025-10-23
Advisory updated: 2026-05-20

Who should care

Organizations and individuals running KeeneticOS appliances, especially any device exposed to untrusted browsing activity or managed in small-office/home-office environments. Security and operations teams should care most where local admin compromise would expose internal networks, internet access, or remote management.

Technical summary

The available record identifies a CRLF-injection weakness in KeeneticOS at the "/auth" API endpoint, affecting versions before 4.3. The described outcome is unauthorized creation of additional users with full permissions after the victim is induced to open a crafted page. NVD maps the weakness to CWE-93 and provides the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating network reachability, low attack complexity, no prior privileges, and required user interaction.

Defensive priority

High for any KeeneticOS deployment below 4.3, because the issue can lead to full device compromise after user interaction. Treat it as a patch-now issue if the device is internet-reachable or if administrators commonly browse the web from the same trust zone.

Recommended defensive actions

Upgrade KeeneticOS to version 4.3 or later as soon as possible.
Review the vendor security page for the October 2025 web API vulnerabilities advisory and confirm the affected models and remediation notes.
Check existing user accounts on affected devices for unexpected or newly added full-privilege accounts.
Restrict management access to trusted networks and administrative devices while remediation is pending.
Reduce exposure to untrusted links or pages on systems used to administer the device, since the reported attack path requires user interaction.

Evidence notes

This debrief is based only on the supplied CVE/NVD metadata and linked references. The CVE description states the issue, affected version boundary, endpoint, and impact; NVD provides the CVSS vector, CWE mapping, and affected CPE range. The supplied corpus does not include the full vendor advisory text, so mitigation details are limited to the documented version boundary and linked official references. Published at 2025-10-23T15:15:39.097Z; modified at 2026-05-20T20:16:33.837Z.

Official resources

CVE-2025-56007 CVE record
CVE.org
CVE-2025-56007 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected] - Product
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed on 2025-10-23; the NVD record was last modified on 2026-05-20.