CVE-2025-0890

CWE-287Improper AuthenticationCWE-522Insufficiently Protected Credentials8 documents6 sources
Severity
9.8CRITICAL
EPSS
23.8%
top 3.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Zyxel Vmg4325-b10a Firmware
Timeline
PublishedFeb 4
Latest updateFeb 14

Description

**UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

CVEListV5zyxel/vmg4325-b10a_firmware1.00(AAFR.4)C0_20170615

🔴Vulnerability Details

3
CVEList
CVE-2025-0890: **UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 12025-02-04
GHSA
GHSA-q2vf-jq2x-689c: **UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 12025-02-04
VulnCheck
Zyxel vmg4325-b10a_firmware Improper Authentication2025

🔍Detection Rules

3
Suricata
ET EXPLOIT Zyxel DSL CPE Management Interface Default Credentials (admin) (CVE-2025-0890)2025-02-14
Suricata
ET EXPLOIT Zyxel DSL CPE Management Interface Default Credentials (zyuser) (CVE-2025-0890)2025-02-14
Suricata
ET EXPLOIT Zyxel DSL CPE Management Interface Default Credentials (supervisor) (CVE-2025-0890)2025-02-14

🕵️Threat Intelligence

1
Bleepingcomputer
Zyxel won’t patch newly exploited flaws in end-of-life routers2025-02-04
CVE-2025-0890 (CRITICAL CVSS 9.8) | **UNSUPPORTED WHEN ASSIGNED** Insec | cvebase.io