CVE-2025-12386
Unauthenticated Information Disclosure in Pix-Link LV-WR21Q Access Point
Publication date: 2026-01-27
Last updated on: 2026-01-27
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pix-link | lv-wr21q | v108_108 |
| pix-link | lv-wr21q | From v108_108 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Pix-Link LV-WR21Q router firmware version V108_108 is due to missing authentication on the endpoint /goform/getHomePageInfo. This allows a remote, unauthenticated attacker to access this endpoint and retrieve sensitive information such as the cleartext password for the access point. Essentially, anyone can remotely obtain the router's password without needing to log in or authenticate. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to your wireless network by exposing the cleartext password of the access point. An attacker could use this information to connect to your network, potentially intercepting data, compromising connected devices, or using your network for malicious activities. It undermines the security of your network by allowing remote attackers to bypass authentication controls. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by attempting to access the endpoint /goform/getHomePageInfo on the Pix-Link LV-WR21Q router without authentication. For example, using a command like `curl http://<router-ip>/goform/getHomePageInfo` from a device on the network. If the response contains sensitive information such as the cleartext password, the device is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's management interface to trusted networks only, such as limiting access to the local network or specific IP addresses. Additionally, monitor for unauthorized access attempts to the /goform/getHomePageInfo endpoint. Since the vendor has not provided a patch or version range, consider replacing or upgrading the device firmware if a fix becomes available, or using a different router model not affected by this vulnerability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss how the CVE-2025-12386 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthenticated remote attackers to retrieve cleartext passwords from the router, it could potentially lead to unauthorized access to sensitive data or networks, which may impact compliance with data protection regulations that require safeguarding access credentials and personal data. No direct statements about compliance impact are given. [1, 2]