CVE-2025-29063
Published: 02 April 2025
Summary
CVE-2025-29063 is a critical-severity Command Injection (CWE-77) vulnerability in Lb-Link Bl-Ac2100 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2025-29063 is a command-injection vulnerability (CWE-77) in the BL-AC2100 wireless router, affecting firmware version V1.0.4 and earlier. The flaw resides in the handling of the enable parameter supplied to the /goform/set_hidessid_cfg endpoint, where unsanitized input is passed to an underlying system command.
An unauthenticated attacker with network access can submit a malicious HTTP request to the endpoint and obtain arbitrary code execution on the device. Successful exploitation grants the attacker full control over the router, allowing modification of configuration, interception of traffic, or use of the device as a pivot point, consistent with the CVSS 9.8 rating that reflects no required authentication or user interaction.
The EPSS score rose from a low baseline to a recorded peak of 0.0999 (current value 0.0613), indicating measurable post-disclosure exploitation interest. The supplied references contain additional technical detail but do not describe vendor patches or official mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9654
Vulnerability details
An issue in BL-AC2100 V1.0.4 and before allows a remote attacker to execute arbitrary code via the enable parameter passed to /goform/set_hidessid_cfg is not handled properly.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.