CVE-2025-60690 – A stack-based buffer overflow vulnerability in ... (How to Fix)

📋 TL;DR

A stack-based buffer overflow vulnerability in Linksys E1200 v2 routers allows remote attackers to execute arbitrary code or cause denial of service without authentication. Attackers can exploit this by sending specially crafted HTTP requests to the vulnerable httpd binary. Only Linksys E1200 v2 routers running the affected firmware are impacted.

💻 Affected Systems

Products:

Linksys E1200 v2

Versions: Firmware E1200_v2.0.11.001_us.tar.gz and potentially earlier versions

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The web interface is typically enabled by default on these routers. No special configuration is needed for exploitation.

📦 What is this software?

E1200 Firmware by Linksys

View all CVEs affecting E1200 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete device compromise, network infiltration, and persistent backdoor installation.

🟠

Likely Case

Denial of service causing router crashes and network disruption, potentially requiring physical reset.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted HTTP access, though still vulnerable to internal threats.

🌐 Internet-Facing: HIGH - The vulnerability is in the web interface which is typically internet-accessible on home routers.

🏢 Internal Only: HIGH - Even internally, any device on the network can exploit this without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept code is available on GitHub. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.linksys.com/

Restart Required: Yes

Instructions:

1. Check Linksys website for firmware updates
2. Download latest firmware for E1200 v2
3. Access router web interface
4. Navigate to firmware update section
5. Upload and apply new firmware
6. Reboot router after update

🔧 Temporary Workarounds

Disable Remote Management

all

Disable web interface access from WAN/internet to prevent external exploitation

Network Segmentation

all

Isolate router management interface to separate VLAN or restrict access to trusted IPs only

🧯 If You Can't Patch

Replace router with supported model that receives security updates
Place router behind firewall that blocks all HTTP traffic to router IP

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under Administration > Firmware Upgrade. If version is E1200_v2.0.11.001_us or earlier, device is vulnerable.

Check Version:

curl -s http://router-ip/ | grep -i firmware or check web interface

Verify Fix Applied:

After firmware update, verify version number has changed from vulnerable version. Test HTTP requests with long parameter values to ensure no crashes.

📡 Detection & Monitoring

Log Indicators:

Multiple HTTP requests with unusually long parameter names ending in _0~3
Router crash/reboot logs
Web interface access logs showing buffer overflow patterns

Network Indicators:

HTTP POST/GET requests with parameter names ending in _0, _1, _2, _3 containing long values
Traffic to router web interface from unexpected sources

SIEM Query:

source="router-logs" AND (http_uri="*_0=*" OR http_uri="*_1=*" OR http_uri="*_2=*" OR http_uri="*_3=*") AND bytes > 100

📊 Metadata

CVE ID: CVE-2025-60690

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

EPSS Score: 0.62% exploit probability (69.4th percentile)

Published: November 13, 2025

Last Updated: November 17, 2025

🔗 References

http://linksys.com Product
https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60690.md Exploit,Third Party Advisory
https://www.linksys.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60690, you might also want to check these: