CVE-2025-45986
Published: 13 June 2025
Summary
CVE-2025-45986 is a critical-severity Command Injection (CWE-77) vulnerability in B-Link Bl-X10 Ac8 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2025-45986 is a command injection vulnerability, tracked under CWE-77, that affects multiple LB-LINK Blink router models including BL-WR9000 V2.4.9, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5, BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0, and BL-X26_DA3 v1.2.7. The flaw resides in the bs_SetMacBlack function and is triggered through the mac parameter, carrying a CVSS 3.1 score of 9.8.
Unauthenticated attackers with network access can supply crafted input to the affected parameter and execute arbitrary operating-system commands on the device. Successful exploitation grants complete control over the router, enabling actions that impact confidentiality, integrity, and availability without requiring user interaction or credentials.
The single public reference is a technical disclosure containing proof-of-concept details for the injection vector; no vendor advisory or patch information is provided in the available sources. The associated EPSS score sits at 0.1330 with no indicated change since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18263
Vulnerability details
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 werediscovered to contain a command injection vulnerability via the mac parameter in the bs_SetMacBlack function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.