Login Sign Up

CVE-2025-45491

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in Linksys E5600 routers via the DynDNS username parameter. Attackers can execute arbitrary commands with root privileges on affected devices. This affects Linksys E5600 v1.1.0.26 users who have DynDNS configured or accessible.

💻 Affected Systems

Products:
  • Linksys E5600
Versions: v1.1.0.26
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires DynDNS functionality to be accessible/configured. Admin interface access needed.

📦 What is this software?

E5600 Firmware by Linksys

View all CVEs affecting E5600 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attacker to install persistent backdoors, intercept all network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Remote code execution leading to router takeover, credential theft, DNS hijacking, and network surveillance.

🟢

If Mitigated

Limited impact if device is behind firewall with no external access to admin interface.

🌐 Internet-Facing: HIGH - Router admin interfaces are often exposed to internet for remote management.
🏢 Internal Only: HIGH - Even internal attackers can exploit this if they reach the admin interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit script available on GitHub. Requires authentication to admin interface or access to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Linksys support site for firmware updates
2. Download latest firmware
3. Access router admin interface
4. Navigate to firmware update section
5. Upload and apply new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable DynDNS

all

Turn off DynDNS functionality to remove vulnerable component

Restrict Admin Interface Access

linux

Block external access to router admin interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Replace affected router with updated model
  • Place router behind firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under Administration > Firmware Update

Check Version:

curl -s http://router-ip/status.cgi | grep firmware

Verify Fix Applied:

Verify firmware version is newer than v1.1.0.26

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Multiple failed login attempts to admin interface
  • Suspicious DynDNS configuration changes

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to malicious domains
  • Unexpected port openings

SIEM Query:

source="router.log" AND ("command injection" OR "DynDNS" AND "username")

📊 Metadata

CVE ID: CVE-2025-45491
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
EPSS Score: 3.01% exploit probability (86.3th percentile)
Published: May 6, 2025
Last Updated: May 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-45491, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)