(Untitled)

Keenetic router users discovered their devices automatically installed new firmware—even with auto-update disabled—after the manufacturer detected active exploitation of a critical authentication vulnerability.

The Vulnerability

In early November, Keenetic published security bulletin KEN-PSA-2025-WP01 describing a CWE-521 vulnerability (Weak Password Requirements) with a CVSS score of 8.8. The flaw affected Keenetic devices running KeeneticOS versions below 4.3.

The vulnerability allowed users to set weak administrator passwords while simultaneously enabling internet access to the web configurator—creating conditions for remote compromise.

"Internal investigations showed that this vulnerability is being exploited by automated password scanners targeting devices with the most common weak passwords," Keenetic warned in the bulletin.

Exploitation requirements:

• Web configurator accessible from the internet
• Remote web access enabled
• Weak administrator password

Attack consequences:

• Complete device control
• Configuration changes
• Traffic interception and redirection
• Additional service activation
• Potential pivot point for internal network penetration

KeeneticOS 4.3 addresses the vulnerability by requiring stronger passwords and blocking public web access when known compromised passwords are detected.

The Forced Update

Shortly after the security bulletin publication, Keenetic router users noticed automatic firmware installation—despite having auto-update disabled in device settings.

Company representatives confirmed the forced update in official Telegram groups, explaining it addressed the CWE-521 vulnerability described in KEN-PSA-2025-WP01.

Keenetic had recommended users update devices below version 4.3 to KeeneticOS 4.3 or later, disable unnecessary remote web access, and implement strong passwords (minimum 15 characters or generated passphrases).

User Backlash

The forced update decision triggered significant criticism from users:

Forum Activity - A thread demanding the ability to disable forced updates appeared on the official Keenetic forum, generating substantial discussion.

Telegram Reaction - Active discussions erupted in Keenetic Telegram groups, with users expressing frustration that the manufacturer could remotely manage devices while bypassing user-configured settings.

Backdoor Concerns - Some users interpreted the forced update capability as evidence of backdoor functionality in router firmware, raising questions about what other remote control capabilities exist.

The Security vs. Autonomy Dilemma

Keenetic faces a problem common to IoT device manufacturers: how to protect users from actively exploited vulnerabilities when many devices never receive updates.

The security case for forced updates:

• Automated scanners actively exploit the vulnerability
• Compromised routers become attack infrastructure (botnets, traffic interception, network pivots)
• Users with disabled auto-update remain vulnerable indefinitely
• Router compromise affects entire networks, not just the device owner

The autonomy case against forced updates:

• Users explicitly disabled automatic updates through device settings
• Remote control capability bypasses user preferences
• No visibility into what else manufacturers can remotely execute
• Precedent for future forced changes without user consent

Router manufacturers increasingly face this tension. Home routers rarely receive manual updates—users configure them once and forget about them. When critical vulnerabilities emerge with active exploitation, manufacturers must choose between respecting user settings and protecting vulnerable devices.

Keenetic chose protection over autonomy. Whether that decision proves justified depends on factors the company hasn't disclosed: How many devices were vulnerable? How widespread was active exploitation? What other remote capabilities exist in the firmware?

What Users Should Know

Immediate actions:

1. Verify current firmware version (should be KeeneticOS 4.3 or higher)
2. Review web configurator internet access settings
3. Change administrator password if using weak credentials
4. Disable remote web access if not required
5. Check device logs for suspicious access attempts

Long-term considerations:

Keenetic's forced update demonstrates the manufacturer retains remote control capabilities regardless of user settings. Users concerned about this control have limited options:

• Accept manufacturer updates as security measure
• Switch to router firmware allowing complete local control (OpenWRT, DD-WRT)
• Accept vulnerability risk by using older firmware versions

The forced update likely prevented compromise of vulnerable devices actively targeted by automated scanners. However, the capability raises questions about manufacturer control boundaries and what other remote actions might occur without user knowledge or consent.

For critical infrastructure like home routers—which control all network traffic and can serve as pivot points for broader attacks—the security argument for forced updates carries weight. But users deserve transparency about what remote capabilities exist and under what circumstances manufacturers will exercise them.

Keenetic hasn't indicated whether forced updates will become standard practice for future critical vulnerabilities or represented a one-time response to active exploitation. That uncertainty will likely fuel continued user concern about device control and autonomy.