CVE-2025-57685
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-11-17
Assigner: MITRE
Description
Description
The LB-Link routers, including the BL-AC2100_AZ3 V1.0.4, BL-WR4000 v2.5.0, BL-WR9000_AE4 v2.4.9, BL-AC1900_AZ2 v1.0.2, BL-X26_AC8 v1.2.8, and BL-LTE300_DA4 V1.2.3 models, are vulnerable to unauthorized command injection. Attackers can exploit this vulnerability by accessing the /goform/set_serial_cfg interface to gain the highest level of device privileges without authorization, enabling them to remotely execute malicious commands.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lb-link | bl-ac1900_az2 | v1.0.2 |
| lb-link | bl-lte300_da4 | v1.2.3 |
| lb-link | bl-wr9000_ae4 | v2.4.9 |
| lb-link | bl-x26_ac8 | v1.2.8 |
| lb-link | bl-wr4000 | v2.5.0 |
| lb-link | bl-ac2100_az3 | v1.0.4 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
