CVE-2025-44654

Critical

Published: 21 July 2025

Published

21 July 2025

Modified

02 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44654 is a critical-severity Improper Access Control (CWE-284) vulnerability in Linksys E2500 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match

prevent

Establishes secure configuration settings for vsftpd to properly enable chroot restrictions and prevent unauthorized access to system files.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations to block unauthorized reads of system files and privilege escalation via the misconfigured FTP service.

CM-7 Least Functionality good match

prevent

Limits router to least functionality by disabling unnecessary FTP services like vsftpd, eliminating the exposure vector entirely.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing vsftpd on router directly enables remote exploitation (T1190) and leads to privilege escalation via improper access control.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In Linksys E2500 3.0.04.002, the chroot_local_user option is enabled in the vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks.

Deeper analysisAI

CVE-2025-44654 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the Linksys E2500 router on firmware version 3.0.04.002. It arises from the vsftpd configuration file having the chroot_local_user option enabled, which improperly restricts user environments and exposes the system to risks including unauthorized access to system files. The issue is classified under CWE-284 (Improper Access Control) and was published on 2025-07-21.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no authentication privileges or user interaction. Successful exploitation enables high-impact outcomes such as unauthorized access to sensitive system files, privilege escalation on the device, or leveraging the router as a pivot for internal network attacks.

Advisories and additional details are available at http://e2500.com and https://gist.github.com/TPCchecker/279708bf9c599c836ea66f3a3e0c25e1.