CVE-2025-63409 Summary CVE ID: CVE-2025-63409 Disclosure Date: 11/10/2025 Published: https://www.cve.org/CVERecord?id=CVE-2025-63409 Summary A device has insufficient access control that allows a low-privileged account to modify administrator-only settings via the web UI and API. Additionally, the backup feature exposes an unencrypted configuration file containing sensitive credentials, including the administrator password. A low-privileged user can leverage these weaknesses to obtain administrator credentials and gain full administrative control of the device. Affected Product Vendor: GCOM Technologies Co. Product: GCOM EPON 1GE Version: C00R371V00B01 Description A device has insufficient access control that allows a low-privileged account to modify administrators. Specifically, a low-privilege user can modify configuration settings that should be restricted to the Administrator account via the web management UI and configuration API. In addition, the device backup configuration feature returns an unencrypted configuration file that contains sensitive credentials (including the administrator password). An attacker with a account can both change administrator-only settings and download the backup file to extract the administrator credentials, resulting in privilege escalation to full administrative access. Writeup https://hackmd.io/@sal/vulnerability-found-in-gcom-epon-1ge-router