External risk intelligence

ALLNET ALL-RUT22GW Stored Hardcoded Credentials Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-29268

The affected product is an industrial LTE cellular router. Such devices are specifically designed to serve as internet edge gateways, providing connectivity and management interfaces that are frequently exposed to the public internet to facilitate remote access and industrial network routing.

Allnet All Rut22gw Firmware

3.3.8

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical security issue has been identified in specific industrial LTE cellular routers, where hardcoded credentials were found within a core library. This vulnerability could allow unauthorized access and control over these devices if they are exposed to the internet, potentially impacting network operations.

  • Issue: Hardcoded credentials found in router software.
  • Remember: These routers are often internet-exposed gateways.
  • Takeaway: Confirm relevance and potential exposure to the internet.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by accessing the device's network, as hardcoded credentials within the `libicos.so` library are exposed. This allows for unauthenticated access, potentially leading to complete system compromise.

  • Network access is required.
  • Hardcoded credentials in library are read.
  • Unauthenticated access and system compromise.

Live Threat

Current exploitation, exposure, and threat context

The ALLNET ALL-RUT22GW router stores hardcoded credentials within its `libicos.so` library. This could allow an unauthenticated attacker with network access to gain elevated privileges and potentially compromise the device's integrity and availability.

  • System credentials at risk.
  • Credentials exposed over the network.
  • Full device compromise possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in industrial LTE cellular routers likely impacts network infrastructure teams responsible for edge devices and connectivity. The immediate first step is to identify all instances of the affected technology, determine their exposure and business criticality, and then locate the accountable owner to plan remediation based on assessed risk.

  • Network infrastructure teams own the issue.
  • Verify external reachability and business criticality.
  • Plan remediation based on assessed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the ALLNET ALL-RUT22GW?

The ALLNET ALL-RUT22GW is an industrial LTE cellular router. These devices serve as network gateways, often used to provide internet connectivity, facilitate remote management, and bridge local networks to cellular data services in industrial environments.

What does CVE-2025-29268 mean?

This vulnerability is classified as CWE-798, which refers to the use of hardcoded credentials. It means that fixed, secret login information is embedded directly within the device's libicos.so library, allowing someone who knows these credentials to bypass authentication mechanisms.

How can an attacker trigger this vulnerability?

An attacker needs network access to the router to exploit the hardcoded credentials. This vulnerability does not require the attacker to interact with a specific user interface or perform complex actions; simply reaching the device over the network allows them to leverage the embedded credentials for unauthorized access.

Do I need to worry if my router is internal?

Halo Surface Signal indicates that because this product is an industrial gateway designed for remote access, it is frequently placed at the edge of networks and exposed to the public internet. While internal devices are less reachable by external attackers, any device on a network reachable by unauthorized parties is at risk.

How should I respond to this vulnerability?

Start by identifying all deployed units of this specific model in your environment. Evaluate the business criticality and network placement of these devices, determine if they are reachable from the internet, and coordinate with the asset owner to develop a plan to address the risk posed by the hardcoded credentials.

References