CVE-2025-60689 – An unauthenticated command injection vulnerabil... (How to Fix)

📋 TL;DR

An unauthenticated command injection vulnerability in Linksys E1200 v2 routers allows remote attackers to execute arbitrary commands on the device without authentication. This affects users running vulnerable firmware versions, potentially compromising router security and connected networks.

💻 Affected Systems

Products:

Linksys E1200 v2

Versions: Firmware E1200_v2.0.11.001_us.tar.gz and potentially earlier versions

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the httpd binary's Start_EPI function when processing CGI parameters

📦 What is this software?

E1200 Firmware by Linksys

View all CVEs affecting E1200 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data interception, malware deployment, and persistent backdoor installation.

🟠

Likely Case

Router configuration manipulation, DNS hijacking, credential theft, and use as attack platform against internal network.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending crafted HTTP requests with malicious CGI parameters to vulnerable endpoints

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.linksys.com/

Restart Required: Yes

Instructions:

1. Check Linksys website for firmware updates
2. Download latest firmware for E1200 v2
3. Access router admin interface
4. Navigate to firmware update section
5. Upload and apply new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable Remote Administration

all

Prevent external access to router administration interface

Network Segmentation

all

Place router in isolated network segment with restricted access

🧯 If You Can't Patch

Replace router with supported model
Implement strict firewall rules blocking all WAN access to router management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface or via SSH if enabled

Check Version:

cat /proc/version or check web interface

Verify Fix Applied:

Verify firmware version is newer than E1200_v2.0.11.001_us.tar.gz

📡 Detection & Monitoring

Log Indicators:

Unusual CGI parameter values in httpd logs
Multiple failed authentication attempts to admin interface
Suspicious command execution in system logs

Network Indicators:

HTTP requests with unusual CGI parameters (wl_ant, wl_ssid, wl_rate, ttcp_num, ttcp_ip, ttcp_size) containing shell metacharacters
Outbound connections from router to unexpected destinations

SIEM Query:

source="router_logs" AND ("wl_ant" OR "wl_ssid" OR "wl_rate" OR "ttcp_num" OR "ttcp_ip" OR "ttcp_size") AND ("|" OR ";" OR "&" OR "`" OR "$")

📊 Metadata

CVE ID: CVE-2025-60689

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-77

EPSS Score: 0.27% exploit probability (50.1th percentile)

Published: November 13, 2025

Last Updated: November 19, 2025

🔗 References

http://linksys.com Product
https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60689.md Exploit,Third Party Advisory
https://www.linksys.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60689, you might also want to check these: