CVE-2025-29062
Published: 02 April 2025
Summary
CVE-2025-29062 is a critical-severity Command Injection (CWE-77) vulnerability in Lb-Link Bl-Ac2100 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2025-29062 is a command-injection vulnerability (CWE-77) affecting the BL-AC2100 router firmware at version V1.0.4 and earlier. Unauthenticated remote attackers can supply crafted values to the time1 and time2 parameters of the set_LimitClient_cfg function exposed by the embedded goahead web service, resulting in arbitrary code execution on the device.
Because the flaw is reachable over the network without credentials or user interaction, an attacker who can reach the web interface can obtain full control of the router, including the ability to read or modify any data and to use the device as a foothold for further attacks. The vulnerability carries a CVSS 3.1 base score of 9.8.
Public references consist of technical write-ups hosted on yuque.com that describe the injection vector; no vendor advisory or firmware patch addressing the issue is referenced in the available sources. The EPSS score rose from lower values after disclosure to a peak of 0.1435 on 2026-05-13 before receding to the current 0.0771, indicating a measurable increase in exploitation interest following publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9651
Vulnerability details
An issue in BL-AC2100 <=V1.0.4 allows a remote attacker to execute arbitrary code via the time1 and time2 parameters in the set_LimitClient_cfg of the goahead webservice.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.