CVE-2025-60691

HighPublic PoC

Published: 13 November 2025

Published

13 November 2025

Modified

17 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0059 69.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A stack-based buffer overflow exists in the httpd binary of Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The apply_cgi and block_cgi functions copy user-supplied input from the "url" CGI parameter into stack buffers (v36, v29) using sprintf without bounds checking. Because…

these buffers are allocated as single-byte variables, any non-empty input will trigger a buffer overflow. Remote attackers can exploit this vulnerability via crafted HTTP requests to execute arbitrary code or cause denial of service without authentication.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the stack-based buffer overflow in the httpd binary by requiring timely patching of the vulnerable firmware.

SI-10 Information Input Validation good match

prevent

Requires validation and bounds checking of user-supplied 'url' CGI parameter input to prevent overflow into single-byte stack buffers via sprintf.

SI-16 Memory Protection partial match

prevent

Implements memory protections like stack canaries or non-executable stacks to mitigate arbitrary code execution from the buffer overflow.

Security SummaryAI

CVE-2025-60691 is a stack-based buffer overflow vulnerability (CWE-121) in the httpd binary of Linksys E1200 v2 routers running firmware version E1200_v2.0.11.001_us.tar.gz. The issue affects the apply_cgi and block_cgi functions, which copy user-supplied input from the "url" CGI parameter into stack buffers (v36 and v29) using sprintf without bounds checking. These buffers are allocated as single-byte variables, so any non-empty input triggers an overflow.

Remote attackers on an adjacent network can exploit this vulnerability by sending crafted HTTP requests to the affected router, requiring no authentication (PR:N) and low complexity (AC:L). Successful exploitation allows arbitrary code execution or denial of service, with high impact on confidentiality, integrity, and availability (CVSSv3.1 score of 8.8: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

References include vendor sites at linksys.com and www.linksys.com, along with a detailed analysis at https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60691.md. No specific mitigation or patch details are provided in the CVE description.

Details

CWE(s): CWE-121

Affected Products

linksys

e1200 firmware

2.0.11.001

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a stack-based buffer overflow in the unauthenticated httpd service of a public-facing router, enabling remote code execution or DoS via crafted HTTP requests, directly mapping to exploitation of public-facing applications.

References

http://linksys.com
Product · cve@mitre.org
https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60691.md
Exploit, Third Party Advisory · cve@mitre.org
https://www.linksys.com/
Product · cve@mitre.org