Scan free
CRITICALCVE-2025-7574CVSS 9.8

CVE-2025-7574: Improper Authentication in LB-LINK Routers

Platform

other

Component

0101

Fixed in

20250702.0.1

20250702.0.1

20250702.0.1

20250702.0.1

20250702.0.1

20250702.0.1

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026
View on NVD
Save

CVE-2025-7574 is a critical vulnerability affecting LB-LINK routers, specifically models BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P, and BL-WR9000 running versions up to 20250702. This vulnerability allows for improper authentication, enabling remote exploitation. A fix is available in version 20250702.0.1.

Impact and Attack Scenarios

The vulnerability resides in the reboot/restore function of the /cgi-bin/lighttpd.cgi file within the Web Interface. An attacker can manipulate this function to bypass authentication mechanisms. Successful exploitation grants unauthorized access to the router's configuration and management interface. This could lead to complete control of the device, including modification of network settings, data interception, and potential use as a pivot point for further attacks on the internal network. The public disclosure of this exploit significantly increases the risk of widespread exploitation.

Exploitation Context

This vulnerability was publicly disclosed on 2025-07-14. The vendor, LB-LINK, was notified but did not respond. The public availability of an exploit significantly increases the likelihood of exploitation. While no confirmed exploitation campaigns are currently known, the CRITICAL severity and public availability of the exploit warrant immediate attention. This vulnerability does not appear to be listed on CISA KEV as of this writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.35% (57% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:R9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Component0101
VendorLB-LINK
Affected rangeFixed in
20250702 – 2025070220250702.0.1
20250702 – 2025070220250702.0.1
20250702 – 2025070220250702.0.1
20250702 – 2025070220250702.0.1
20250702 – 2025070220250702.0.1
20250702 – 2025070220250702.0.1

Weakness Classification (CWE)

CWE-287

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation is to immediately upgrade affected LB-LINK routers to version 20250702.0.1 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. While a direct WAF rule targeting the /cgi-bin/lighttpd.cgi endpoint is difficult without specific exploit patterns, restricting access to this endpoint from untrusted networks can reduce the attack surface. Monitor router logs for unusual activity or authentication attempts. After upgrading, confirm the fix by attempting to access the router's web interface with invalid credentials; authentication should be denied.

How to fix

Update the firmware of your LB-LINK router to a version later than 20250702, if available, to correct the authentication vulnerability. If no update is available, consider replacing the device with one that receives active security updates. Disable remote access to the router's web interface as a temporary measure.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-7574 — Improper Authentication in LB-LINK Routers?

CVE-2025-7574 is a critical vulnerability in LB-LINK routers allowing remote attackers to bypass authentication and gain unauthorized access.

Am I affected by CVE-2025-7574 in LB-LINK Routers?

If you are using a LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P, or BL-WR9000 router running version 20250702 or earlier, you are potentially affected.

How do I fix CVE-2025-7574 in LB-LINK Routers?

Upgrade your router to version 20250702.0.1 or later to mitigate the vulnerability. If upgrading is not possible, implement temporary workarounds like restricting access to the web interface.

Is CVE-2025-7574 being actively exploited?

While no confirmed exploitation campaigns are currently known, the public availability of the exploit increases the risk of exploitation.

Where can I find the official LB-LINK advisory for CVE-2025-7574?

Refer to the LB-LINK website for the official advisory regarding CVE-2025-7574.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs