Login Sign Up

CVE-2025-60694

7.5 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability in Linksys E1200 v2 routers allows remote attackers to execute arbitrary code or cause denial of service without authentication. Attackers can exploit this by sending specially crafted HTTP requests to the router's web interface. This affects all users of Linksys E1200 v2 routers running vulnerable firmware.

💻 Affected Systems

Products:
  • Linksys E1200 v2
Versions: Firmware E1200_v2.0.11.001_us.tar.gz and likely earlier versions
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: The web interface is typically enabled by default on these routers, making them immediately vulnerable.

📦 What is this software?

E1200 Firmware by Linksys

View all CVEs affecting E1200 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete router compromise, credential theft, network traffic interception, and persistent backdoor installation.

🟠

Likely Case

Router crash causing denial of service, requiring physical reset and disrupting network connectivity.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted web interface access, though still vulnerable to internal threats.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub, making weaponization straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.linksys.com/

Restart Required: Yes

Instructions:

1. Check Linksys website for firmware updates. 2. Download latest firmware for E1200 v2. 3. Log into router web interface. 4. Navigate to firmware update section. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Restrict Web Interface Access

linux

Use firewall rules to limit access to router management interface

iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

  • Replace router with supported model
  • Place router behind dedicated firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Administration > Firmware Upgrade

Check Version:

curl -s http://router-ip/status.cgi | grep firmware

Verify Fix Applied:

Verify firmware version is newer than E1200_v2.0.11.001_us

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests with unusual CGI parameters (route_ipaddr_, route_netmask_, route_gateway_)
  • Router crash/reboot events in system logs

Network Indicators:

  • HTTP POST requests to router IP with buffer overflow patterns in parameters
  • Unusual outbound connections from router after exploitation

SIEM Query:

source="router.log" AND ("route_ipaddr_" OR "route_netmask_" OR "route_gateway_")

📊 Metadata

CVE ID: CVE-2025-60694
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-121
EPSS Score: 3.29% exploit probability (86.9th percentile)
Published: November 13, 2025
Last Updated: November 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60694, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)