Keenetic Product Security Advisory

Advisory ID: KEN-PSA-2025-WD01
Severity: Medium
CVE: CVE-2025-20674, CVE-2025-20685, CVE-2025-20686
Status: Resolved in KeeneticOS 4.3.2 and later

Keenetic is aware of an “Arbitrary Packet Injection” vulnerability in the Wi-Fi AP driver, reported by the chipset maker, Mediatek, Inc. There is a possible way to inject an arbitrary packet due to a missing permission check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

The chipset manufacturer also reported additional vulnerabilities, such as a possible out-of-bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed.

The vulnerabilities are identified as CVE-2025-20674, CVE-2025-20685, CVE-2025-20686.

Potentially affected devices:
All Keenetic models with the “KN” index, released 2017 onwards, are based on Wi-Fi chipsets produced by Mediatek: MT7628, MT7603, MT7612, MT7613, MT7915, MT7916.

Affected firmware versions:
All KeeneticOS versions up to and including 4.3.1

Severity:
The severity is considered medium, as the attacker has to be in close physical proximity to the target device.

Solution:
KeeneticOS 4.3.2 includes necessary fixes addressing these vulnerabilities. This update applies to all affected Keenetic models. We strongly recommend users upgrade their devices to the latest KeeneticOS version available online. Keenetic has already begun rolling out automatic updates to devices that have the auto-update option enabled.

Advisory ID: KEN-PSA-2025-CS01
Severity: Medium
Status: Resolved

In light of newly discovered information, Keenetic Limited informs Keenetic Mobile App users who registered before March 16th, 2023, that part of their mobile app data may have been compromised due to unauthorised database access.

On the morning of March 15th 2023, we were informed by an independent IT security researcher about the possibility of unauthorised access to the Keenetic Mobile App database. After verifying the nature and credibility of the risk, we immediately resolved the issue on the afternoon of March 15th 2023. The IT security researcher assured us that he hadn't shared any data with anybody and destroyed it. Since then, we had no indication that the database was compromised or any user was affected until the end of February 2025.  

On February 28, 2025, we learned that some database information had been disclosed to an independent media outlet. Therefore, we have determined that we can no longer guarantee the data was properly destroyed, and some information may now be beyond our control.

However, due to the nature of the data that could be potentially exposed, we estimate the risk of fraudulent activity to be low.

A limited number of database fields were accessible: Keycloak IDs, emails (logins) and names of Keenetic accounts, locales; device user account configurations, including MD5 and NT password hashes; custom KeenDNS names; network interface configurations, including Wi-Fi SSIDs and preshared keys; Wi-Fi channel settings, roaming IDs and keys; IP policy and traffic shaping settings; remote peer addresses, logins and passwords of VPN clients, assigned IP addresses; names and MAC addresses of registered hosts; IPsec site-to-site configurations; IPsec Virtual-IP server configurations; DHCP pool settings; NTP settings; IP and MAC access lists.

To our best knowledge, no other data has been accessible. In particular, RMM data, Keenetic account data, private keys and configurations of Wireguard VPN tunnels, and OpenVPN data were inaccessible.

Keenetic doesn't collect, store, or analyse data on payment card details or related credentials, transactional data, banking details, or banking passwords. Thus, such data is not affected.

We recommend to these Keenetic mobile app users to change following passwords and pre-shared keys: 

- Keenetic device user account passwords (link to the instruction);

- Wi-Fi passwords (link to the instruction);

- VPN-client passwords/pre-shared keys for: PPTP/L2TP (link to the instruction), L2TP/IPSec (link to the instruction), IPSec Site-to-Site (link to the instruction), SSTP (link to the instruction).

We strongly believe that unauthorized access happened without any fraudulent or malicious intent, and database information is not available to the public, nevertheless, appropriate notification was sent to the relevant data protection authority. 

We apologize for any inconvenience and confirm that all the necessary actions have been taken to prevent a similar situation in the future.

We set security as our highest priority to deliver a protected and controllable environment to safeguard our users’ networks and data. We constantly work on improving our operating system, applications and cloud infrastructure. With regular updates, we continually enhance performance and security to ensure that our software stays up-to-date. 

If you have any questions, please do not hesitate to contact the relevant technical support team.

Advisory ID: KEN-PSA-2024-ED01
CVE: CVE-2024-4021, CVE-2024-4022
Severity: Low
Status: Resolved in KeeneticOS 4.3 and later

Keenetic was notified early and is fully aware of vulnerabilities CVE-2024-4021 and CVE-2024-4022.

Potentially affected devices:
- KN-1010
- KN-1410
- KN-1711
- KN-1810
- KN-1910

Affected firmware versions:
All KeeneticOS versions up to and including 4.1.2.15.

Clarification of the reported vulnerabilities:
1. CVE-2024-4022 refers to a reported disclosure of information intended to be publicly available. Displaying the model name and firmware version in the web interface is by design and not considered a vulnerability. The model name is explicitly shown on the user interface, and the firmware version can easily be approximated due to frequent updates which visibly change the interface.
2. CVE-2024-4021 does not enable remote access, control, or leakage of private user information. Instead, it allows an attacker to identify which software components (e.g., WPA3-E, WireGuard, OpenVPN) are installed on the router. Importantly, this vulnerability does not indicate whether these components are active or enabled. It also does not disclose if a specific service is being provided externally (for example, WireGuard could be available through port forwarding rather than installed on the router itself). After consulting an independent third-party security researcher, Keenetic classified this vulnerability as low-risk information disclosure. This means it does not directly compromise the device or user information.

Severity:
The severity of disclosure of excessive information about the device and operating system is considered low.

Solution:
Due to the low-risk nature of these vulnerabilities, Keenetic will address these issues in the next KeeneticOS update. A fix will be included in KeeneticOS version 4.3, scheduled for release by mid-2025. An urgent update is not required.

Advisory ID: KEN-PSA-2021-WD01
Severity: Medium
CVE: CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26146, CVE-2020-26147
Status: Resolved in KeeneticOS 3.6.6 and later

Keenetic is aware of the Wi-Fi security vulnerabilities known as FragAttacks (Fragmentation and Aggregation Attacks). Detailed information can be found at https://www.fragattacks.com.

The following vulnerabilities have been identified:
- CVE-2020-24586
- CVE-2020-24587
- CVE-2020-24588
- CVE-2020-26139
- CVE-2020-26140
- CVE-2020-26146
- CVE-2020-26147

Potentially affected devices:
All Keenetic models with the “KN” index, released from 2017 onwards.

Affected firmware versions:
All KeeneticOS versions up to and including 3.6.5.

Severity:
The severity of FragAttacks is considered medium, with a wide-ranging impact on nearly all Wi-Fi devices since 1997. The vulnerabilities can potentially lead to information disclosure and privilege escalation. However, exploiting them is not straightforward and requires the attacker to be in close physical proximity to the target device.

Solution:
KeeneticOS version 3.6.6 includes necessary fixes addressing these Wi-Fi vulnerabilities. This update applies to all affected Keenetic models. We strongly recommend users upgrade their devices to the latest KeeneticOS version available online. Keenetic has already begun rolling out automatic updates to devices that have the auto-update option enabled.