Embedded Linux Credentials Vulnerability in Billion Electric Routers
CVE-2025-1143

8.4HIGH

Key Information:

Vendor: Billion Electric
Status: M100; M150; M120n; M500
Vendor: CVE Published:; 11 February 2025

Summary

Certain models of routers manufactured by Billion Electric contain hard-coded credentials in their embedded Linux systems. This flaw allows unauthorized individuals to gain access via the SSH service, potentially leading to root-level control of the device. Such vulnerabilities emphasize the importance of securing default credentials and ensuring robust authentication mechanisms are employed.

Affected Version(s)

M100 1.04.1.159.* < 1.04.1.592.10

M100 1.04.1.613.* < 1.04.1.613.14

M100 1.04.1.* < 1.04.1.676

References

https://www.twcert.org.tw/tw/cp-132-8413-ec9a5-1.html

third-party-advisory

https://www.twcert.org.tw/en/cp-139-8414-096ce-2.html

third-party-advisory

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Feb 10, 2025