Cyber Resilience

CVE-2025-45488

CriticalPublic PoCRCE

Published: 06 May 2025

Published
06 May 2025
Modified
13 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1068 93.5th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-45488 is a critical-severity Command Injection (CWE-77) vulnerability in Linksys E5600 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Linksys E5600 firmware version 1.1.0.26 contains a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the mailex parameter. The issue, tracked as CVE-2025-45488 and mapped to CWE-77, stems from insufficient input validation that permits arbitrary command execution when the parameter is processed.

The flaw is remotely exploitable without authentication or user interaction over the network, as reflected in its CVSS 3.1 score of 9.8. An attacker who supplies a crafted mailex value can achieve full control over the device, resulting in impacts to confidentiality, integrity, and availability.

Public proof-of-concept materials, including an exploit script and technical write-up, have been published on GitHub. The associated EPSS score has remained flat at 0.1068 with no material rise after disclosure. No official vendor advisory or patch information appears in the available references.

EU & UK References

Vulnerability details

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the mailex parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linksys
e5600 firmware
1.1.0.26

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References