Plataforma
other
Componente
0101
Corrigido em
20250702.0.1
20250702.0.1
20250702.0.1
20250702.0.1
20250702.0.1
20250702.0.1
CVE-2025-7574 is a critical vulnerability affecting LB-LINK routers, specifically models BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P, and BL-WR9000 running versions up to 20250702. This vulnerability allows for improper authentication, enabling remote exploitation. A fix is available in version 20250702.0.1.
The vulnerability resides in the reboot/restore function of the /cgi-bin/lighttpd.cgi file within the Web Interface. An attacker can manipulate this function to bypass authentication mechanisms. Successful exploitation grants unauthorized access to the router's configuration and management interface. This could lead to complete control of the device, including modification of network settings, data interception, and potential use as a pivot point for further attacks on the internal network. The public disclosure of this exploit significantly increases the risk of widespread exploitation.
This vulnerability was publicly disclosed on 2025-07-14. The vendor, LB-LINK, was notified but did not respond. The public availability of an exploit significantly increases the likelihood of exploitation. While no confirmed exploitation campaigns are currently known, the CRITICAL severity and public availability of the exploit warrant immediate attention. This vulnerability does not appear to be listed on CISA KEV as of this writing.
Small and medium-sized businesses (SMBs) and home users relying on LB-LINK routers are at significant risk. Shared hosting environments utilizing these routers are particularly vulnerable due to the potential for widespread compromise. Users with legacy router configurations or those who have not updated their devices in a long time are also at increased risk.
• windows / supply-chain: Monitor PowerShell execution for commands related to network configuration changes or attempts to access router interfaces. Check scheduled tasks for suspicious entries.
• linux / server: Monitor system logs (journalctl) for authentication failures or unusual activity on the router's web interface. Use ss or lsof to identify connections to port 80 or 443 from unexpected sources.
• generic web: Use curl to probe the /cgi-bin/lighttpd.cgi endpoint and examine the response headers for any anomalies. Review access and error logs for suspicious requests.
disclosure
patch
Status do Exploit
EPSS
0.35% (percentil 57%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade affected LB-LINK routers to version 20250702.0.1 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. While a direct WAF rule targeting the /cgi-bin/lighttpd.cgi endpoint is difficult without specific exploit patterns, restricting access to this endpoint from untrusted networks can reduce the attack surface. Monitor router logs for unusual activity or authentication attempts. After upgrading, confirm the fix by attempting to access the router's web interface with invalid credentials; authentication should be denied.
Atualize o firmware do seu roteador LB-LINK para uma versão posterior a 20250702, se disponível, para corrigir a vulnerabilidade de autenticação. Se não houver uma atualização disponível, considere substituir o dispositivo por um que receba atualizações de segurança ativas. Desative o acesso remoto à interface web do roteador como medida temporária.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-7574 is a critical vulnerability in LB-LINK routers allowing remote attackers to bypass authentication and gain unauthorized access.
If you are using a LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P, or BL-WR9000 router running version 20250702 or earlier, you are potentially affected.
Upgrade your router to version 20250702.0.1 or later to mitigate the vulnerability. If upgrading is not possible, implement temporary workarounds like restricting access to the web interface.
While no confirmed exploitation campaigns are currently known, the public availability of the exploit increases the risk of exploitation.
Refer to the LB-LINK website for the official advisory regarding CVE-2025-7574.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.