Cyber Posture

CVE-2025-60690

HighPublic PoC

Published: 13 November 2025

Published
13 November 2025
Modified
17 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0561 90.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

A stack-based buffer overflow exists in the get_merge_ipaddr function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to four user-supplied CGI parameters matching <parameter>_0~3 into a fixed-size buffer (a2) without bounds checking. Remote…

more

attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of user-supplied CGI parameters to prevent unbounded concatenation into fixed-size buffers causing stack overflows.

SI-16 Memory Protection good match
prevent

Implements memory protections like stack canaries, ASLR, and DEP to block arbitrary code execution from stack-based buffer overflows.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of the specific buffer overflow flaw in the httpd binary via firmware updates or patches.

Security SummaryAI

A stack-based buffer overflow vulnerability, tracked as CVE-2025-60690 and associated with CWE-121, affects the httpd binary on Linksys E1200 v2 routers running firmware version E1200_v2.0.11.001_us.tar.gz. The issue resides in the get_merge_ipaddr function, which concatenates up to four user-supplied CGI parameters matching the pattern <parameter>_0 through <parameter>_3 into a fixed-size buffer named a2 without performing bounds checking. This flaw has a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Remote attackers on an adjacent network can exploit this vulnerability by sending specially crafted HTTP requests to the affected router, requiring no authentication or user interaction. Successful exploitation allows arbitrary code execution or denial of service, such as crashing the httpd process, enabling attackers to potentially compromise the device, pivot to other network assets, or disrupt connectivity.

Researcher advisories and proof-of-concept details are documented in GitHub repositories at https://github.com/Jarrettgohxz/CVE-research/tree/main/Linksys/E1200-V2/CVE-2025-60690 and https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60690.md, with additional information potentially available from Linksys at http://linksys.com and https://www.linksys.com/. No specific patch or mitigation guidance is detailed in the available CVE information.

Details

CWE(s)
CWE-121

Affected Products

linksys
e1200 firmware
2.0.11.001

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The stack-based buffer overflow in the public-facing httpd CGI on the Linksys router enables remote unauthenticated arbitrary code execution (T1190: Exploit Public-Facing Application) or denial of service via crafted HTTP requests (T1499.004: Application or System Exploitation).

References