CVE-2025-5000 – A critical command injection vulnerability in L... (How to Fix)

📋 TL;DR

A critical command injection vulnerability in Linksys FGW3000 routers allows remote attackers to execute arbitrary commands via manipulated filename parameters in HTTP POST requests to the control panel. This affects Linksys FGW3000-AH and FGW3000-HK routers up to version 1.0.17.000000. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Linksys FGW3000-AH
Linksys FGW3000-HK

Versions: Up to and including 1.0.17.000000

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running vulnerable firmware versions are affected. The web interface is typically enabled by default.

📦 What is this software?

Fgw3000 Ah Firmware by Linksys

View all CVEs affecting Fgw3000 Ah Firmware →

Fgw3000 Hk Firmware by Linksys

View all CVEs affecting Fgw3000 Hk Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, credential theft, network pivoting, and botnet recruitment.

🟠

Likely Case

Remote code execution leading to device takeover, network surveillance, and lateral movement within the network.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.linksys.com/

Restart Required: Yes

Instructions:

1. Check Linksys website for firmware updates
2. If update available, download and install via web interface
3. Reboot device after update
4. Verify version is above 1.0.17.000000

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to router web interface from untrusted networks

Firewall Rules

linux

Block external access to port 80/443 on affected devices

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict firewall rules
Implement network monitoring for unusual HTTP POST requests to /cgi-bin/sysconf.cgi

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at http://[router-ip]/ or via SSH if enabled. Version should be above 1.0.17.000000.

Check Version:

curl -s http://[router-ip]/ | grep -i firmware || ssh admin@[router-ip] 'cat /etc/version'

Verify Fix Applied:

Verify firmware version is above 1.0.17.000000 and test that HTTP POST requests with malicious filename parameters no longer execute commands.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /cgi-bin/sysconf.cgi with unusual filename parameters
System logs showing unexpected command execution

Network Indicators:

HTTP traffic to router on port 80/443 with POST requests containing shell metacharacters in parameters

SIEM Query:

source="router-logs" AND (url="/cgi-bin/sysconf.cgi" AND method="POST" AND (filename="*;*" OR filename="*|*" OR filename="*`*"))

📊 Metadata

CVE ID: CVE-2025-5000

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.49% exploit probability (65.1th percentile)

Published: May 20, 2025

Last Updated: June 12, 2025

🔗 References

https://github.com/CH13hh/tmp_store_cc/blob/main/FGW3000/2.md Broken Link
https://vuldb.com/?ctiid.309651 Permissions Required,VDB Entry
https://vuldb.com/?id.309651 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.565992 Third Party Advisory,VDB Entry
https://www.linksys.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5000, you might also want to check these: