CVE-2025-45986 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-45986?

CVE-2025-45986 has a CVSS score of 9.8 (CRITICAL). This CVE describes a command injection vulnerability in multiple Blink router models that allows attackers to execute arbitrary commands on affected devices. Attackers can exploit this by injecting malicious commands through the mac parameter in the bs_SetMacBlack function. Users of the listed Blink router models with vulnerable firmware versions are affected.

📋 TL;DR

This CVE describes a command injection vulnerability in multiple Blink router models that allows attackers to execute arbitrary commands on affected devices. Attackers can exploit this by injecting malicious commands through the mac parameter in the bs_SetMacBlack function. Users of the listed Blink router models with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Blink BL-WR9000
Blink BL-AC2100_AZ3
Blink BL-X10_AC8
Blink BL-LTE300
Blink BL-F1200_AT1
Blink BL-X26_AC8
Blink BLAC450M_AE4
Blink BL-X26_DA3

Versions: V2.4.9, V1.0.4, v1.0.5, v1.2.3, v1.0.0, v1.2.8, v4.0.0, v1.2.7 respectively

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All listed firmware versions are vulnerable in default configurations. The vulnerability exists in the web management interface's MAC address blacklist function.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, intercept all network traffic, pivot to internal networks, and use the router as part of a botnet.

🟠

Likely Case

Router takeover enabling traffic interception, DNS hijacking, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if routers are behind firewalls with strict inbound filtering and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the vulnerability can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - While less likely than internet exploitation, internal attackers or compromised internal devices could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub reference contains technical details and proof-of-concept. The high CVSS score and public disclosure make weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates. 2. Download appropriate firmware for your model. 3. Access router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote management

all

Disable WAN-side access to router management interface

Network segmentation

all

Place routers in isolated network segments with strict firewall rules

🧯 If You Can't Patch

Replace vulnerable routers with supported models from different vendors
Implement strict network monitoring and intrusion detection for router traffic

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface against affected versions list. If version matches, device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Information page

Verify Fix Applied:

Verify firmware version has been updated to a version not listed in affected versions. Test MAC blacklist functionality with safe input.

📡 Detection & Monitoring

Log Indicators:

Unusual commands in router logs
Multiple failed MAC blacklist attempts
Unexpected system command execution

Network Indicators:

Unusual outbound connections from router
DNS queries to suspicious domains from router
Unexpected port scans originating from router

SIEM Query:

source="router_logs" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2025-45986

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 1.61% exploit probability (81.4th percentile)

Published: June 13, 2025

Last Updated: July 23, 2025

🔗 References

https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_mac%20Unauthorized%20command%20injection/LB-LINK_mac%20command%20injection.md Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-45986, you might also want to check these: