CVE-2025-1609 – This CVE describes a critical OS command inject... (How to Fix)

Q: What is the severity of CVE-2025-1609?

CVE-2025-1609 has a CVSS score of 6.3 (MEDIUM). This CVE describes a critical OS command injection vulnerability in LB-LINK AC1900 routers. Attackers can remotely execute arbitrary commands on affected devices by manipulating the 'cmd' parameter in the websGetVar function. All users of LB-LINK AC1900 Router version 1.0.2 are affected.

📋 TL;DR

This CVE describes a critical OS command injection vulnerability in LB-LINK AC1900 routers. Attackers can remotely execute arbitrary commands on affected devices by manipulating the 'cmd' parameter in the websGetVar function. All users of LB-LINK AC1900 Router version 1.0.2 are affected.

💻 Affected Systems

Products:

LB-LINK AC1900 Router

Versions: 1.0.2

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the vulnerable firmware version are affected regardless of configuration.

📦 What is this software?

Ac1900 Firmware by Lb Link

View all CVEs affecting Ac1900 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to install persistent backdoors, intercept all network traffic, pivot to internal networks, and use the device for botnet activities.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and use as a proxy for malicious activities.

🟢

If Mitigated

Limited impact if router is isolated from critical networks and has strict egress filtering, though device compromise still occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available and the vulnerability requires no authentication to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Contact vendor for updated firmware or replace affected devices.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate the router from critical internal networks to limit potential damage from compromise.

Access Control Lists

all

Implement strict firewall rules to limit access to the router's web interface from untrusted networks.

🧯 If You Can't Patch

Immediately replace affected routers with devices from vendors that provide security updates
Deploy network monitoring to detect exploitation attempts and anomalous router behavior

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at System Status > Firmware Version

Check Version:

Check web interface or use nmap to identify device version

Verify Fix Applied:

Verify firmware version has been updated beyond 1.0.2

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/set_cmd with shell metacharacters in parameters
Unexpected command execution in router logs

Network Indicators:

Anomalous outbound connections from router
DNS queries to suspicious domains from router

SIEM Query:

source="router_logs" AND (uri="/goform/set_cmd" AND (param="cmd" AND value CONTAINS "|" OR value CONTAINS ";" OR value CONTAINS "`"))

📊 Metadata

CVE ID: CVE-2025-1609

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-77

EPSS Score: 0.76% exploit probability (73th percentile)

Published: February 24, 2025

Last Updated: November 4, 2025

🔗 References

https://noisy-caravel-a9a.notion.site/LBLINK_AC1900_V1-0-2_-set_cmd-_-bs_SetCmd-_CI-179898c94eac808e8875e0b8e1bee47e?pvs=74 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.296599 Permissions Required,VDB Entry
https://vuldb.com/?id.296599 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.501023 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1609, you might also want to check these: