CVE-2025-51569
📋 TL;DR
An unauthenticated cross-site scripting (XSS) vulnerability in the LB-Link BL-CPE300M router's web interface allows attackers to inject malicious JavaScript via the /goform/goform_get_cmd_process endpoint. When a user visits a specially crafted URL, the script executes in the router's security context, potentially compromising the device. This affects users of LB-Link BL-CPE300M routers with vulnerable firmware.
💻 Affected Systems
- LB-Link BL-CPE300M
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal router admin credentials, change router settings, redirect traffic, or install malware on connected devices if users are tricked into clicking malicious links.
Likely Case
Attackers create phishing pages that appear to be the router interface, steal session cookies or credentials when users log in, and potentially gain administrative access to the router.
If Mitigated
With proper network segmentation and user awareness training, the impact is limited to potential credential theft from users who click malicious links, but router compromise is prevented.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link) but is technically simple with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
Check LB-Link website for firmware updates. If available, download latest firmware and upload via router web interface under System Tools > Firmware Upgrade.
🔧 Temporary Workarounds
Disable Remote Management
allPrevent external access to router web interface
Implement Network Segmentation
allIsolate router management interface from user networks
🧯 If You Can't Patch
- Change default admin credentials to strong, unique passwords
- Implement strict firewall rules to limit access to router management interface
🔍 How to Verify
Check if Vulnerable:
Access router web interface, navigate to System Tools > Firmware Version and check if version matches affected version. Test with payload: /goform/goform_get_cmd_process?cmd=test<script>alert(1)</script>Check Version:
curl -s http://router-ip/goform/goform_get_cmd_process?cmd=version | grep firmwareVerify Fix Applied:
After firmware update, verify version no longer matches affected version and test payload no longer executes JavaScript.📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests to /goform/goform_get_cmd_process with script tags in parameters
- Multiple failed login attempts following suspicious URL access
Network Indicators:
- HTTP requests containing <script> tags in query parameters to router IP
- Unusual outbound connections from router after user visits crafted URLs
SIEM Query:
source="router_logs" AND uri_path="/goform/goform_get_cmd_process" AND (query="*<script>*" OR query="*javascript:*")