CVE-2025-1608
Published: 24 February 2025
Description
A vulnerability, which was classified as critical, was found in LB-LINK AC1900 Router 1.0.2. Affected is the function websGetVar of the file /goform/set_manpwd. The manipulation of the argument routepwd leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1608 is an OS command injection vulnerability classified as critical in the LB-LINK AC1900 Router version 1.0.2. The flaw affects the websGetVar function in the /goform/set_manpwd file, where manipulation of the routepwd argument enables command injection. It was published on 2025-02-24 and is associated with CWE-77 and CWE-78, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows injection and execution of arbitrary operating system commands, resulting in low impacts to confidentiality, integrity, and availability.
Advisories from VulDB and a public disclosure on a Notion site detail the vulnerability and provide exploit information. The vendor was contacted early regarding the issue but has not responded, and no patches or mitigations are mentioned in the available references.
Details
- CWE(s)