Description
Incorrect access control in the web management interface of T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 allows unauthorized attackers to enable the Telnet service via sending a crafted request to a vulnerable CGI component.
Published: 2026-06-04
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from incorrect access control (CWE-284) in the web management interface of T3 Technology CPE devices. An attacker who can send a crafted request to a vulnerable CGI component can enable the Telnet service without authentication, effectively creating a new management channel.

Affected Systems

The affected products are T3 Technology CPE models T625Pro firmware v1.0.07, T6825G firmware v1.0.03, and T7281 firmware v1.0.03. No other models or firmware versions are stated as susceptible.

Risk and Exploitability

The flaw is publicly rated CVSS 9.8, placing it in the critical range, and its EPSS score of < 1% indicates a very low but nonzero likelihood of exploitation. Because the vulnerability is not included in CISA KEV, no widespread exploitation campaigns are reported. The attack can be executed remotely over the network when the web interface is reachable and a crafted request can be sent to the CGI component. By enabling Telnet, an attacker obtains a privileged management channel that can be leveraged for further unauthorized actions.

Generated by OpenCVE AI on June 8, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the Telnet service through the web interface or by using console commands.
  • Enforce strict access control on the web management interface (CWE-284) by restricting access to trusted IP addresses and requiring authentication for CGI components.
  • Restrict external access to the device's web interface to trusted administrators or specific IP ranges.
  • Monitor network traffic and device logs for any unexpected Telnet activation or unauthorized management activity.

Generated by OpenCVE AI on June 8, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Web Interface Access Control Bypass Enables Telnet Service

Mon, 08 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Improper Access Control Enables Unauthorized Telnet Activation in T3 Technology CPE Devices
Weaknesses CWE-862

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared T3techgroup
T3techgroup t625pro
T3techgroup t6825g
T3techgroup t7281
Vendors & Products T3techgroup
T3techgroup t625pro
T3techgroup t6825g
T3techgroup t7281

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Improper Access Control Enables Unauthorized Telnet Activation in T3 Technology CPE Devices
Weaknesses CWE-284
CWE-862

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Incorrect access control in the web management interface of T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 allows unauthorized attackers to enable the Telnet service via sending a crafted request to a vulnerable CGI component.
References

Subscriptions

T3techgroup T625pro T6825g T7281
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-08T13:51:48.841Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-35904

cve-icon Vulnrichment

Updated: 2026-06-08T13:51:41.770Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T15:16:50.550

Modified: 2026-06-08T15:16:44.673

Link: CVE-2026-35904

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T18:00:16Z

Weaknesses