CVE-2025-1608

6.3 MEDIUM

Published: February 24, 2025 Modified: November 04, 2025

Description

A vulnerability, which was classified as critical, was found in LB-LINK AC1900 Router 1.0.2. Affected is the function websGetVar of the file /goform/set_manpwd. The manipulation of the argument routepwd leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://noisy-caravel-a9a.notion.site/LBLINK_AC1900_V1-0-2_-set_manpwd-_-bl_do_system-_CI-179898c94eac81b9bf56c1f64db77e2d?pvs=74

Source: cna@vuldb.com

Exploit Third Party Advisory

https://vuldb.com/?ctiid.296598

Source: cna@vuldb.com

Permissions Required VDB Entry

https://vuldb.com/?id.296598

Source: cna@vuldb.com

Third Party Advisory VDB Entry

https://vuldb.com/?submit.501022

Source: cna@vuldb.com

Third Party Advisory VDB Entry

4 reference(s) from NVD

Quick Stats

CVSS v3 Score

6.3 / 10.0

EPSS (Exploit Probability)

0.7%

71th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-77 CWE-78 CWE-78

Affected Vendors

lb-link

Related CVEs

CVE-2025-69261 N/A

CVE-2025-69257 6.7

CVE-2025-69210 N/A

CVE-2025-66823 N/A

CVE-2025-50343 N/A