CVE-2025-12386
Unknown Unknown - Not Provided
Unauthenticated Information Disclosure in Pix-Link LV-WR21Q Access Point

Publication date: 2026-01-27

Last updated on: 2026-01-27

Assigner: CERT.PL

Description
Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-01-27
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12386
EUVD
EUVD-2025-206410
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pix-link lv-wr21q v108_108
pix-link lv-wr21q From v108_108 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Pix-Link LV-WR21Q router firmware version V108_108 is due to missing authentication on the endpoint /goform/getHomePageInfo. This allows a remote, unauthenticated attacker to access this endpoint and retrieve sensitive information such as the cleartext password for the access point. Essentially, anyone can remotely obtain the router's password without needing to log in or authenticate. [1]

Impact Analysis

This vulnerability can lead to unauthorized access to your wireless network by exposing the cleartext password of the access point. An attacker could use this information to connect to your network, potentially intercepting data, compromising connected devices, or using your network for malicious activities. It undermines the security of your network by allowing remote attackers to bypass authentication controls. [1]

Detection Guidance

You can detect this vulnerability by attempting to access the endpoint /goform/getHomePageInfo on the Pix-Link LV-WR21Q router without authentication. For example, using a command like `curl http://<router-ip>/goform/getHomePageInfo` from a device on the network. If the response contains sensitive information such as the cleartext password, the device is vulnerable. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the router's management interface to trusted networks only, such as limiting access to the local network or specific IP addresses. Additionally, monitor for unauthorized access attempts to the /goform/getHomePageInfo endpoint. Since the vendor has not provided a patch or version range, consider replacing or upgrading the device firmware if a fix becomes available, or using a different router model not affected by this vulnerability. [1]

Compliance Impact

The provided resources do not explicitly discuss how the CVE-2025-12386 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthenticated remote attackers to retrieve cleartext passwords from the router, it could potentially lead to unauthorized access to sensitive data or networks, which may impact compliance with data protection regulations that require safeguarding access credentials and personal data. No direct statements about compliance impact are given. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12386. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart