Cyber Resilience

CVE-2025-45988

CriticalPublic PoCRCE

Published: 13 June 2025

Published
13 June 2025
Modified
10 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1330 94.3th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-45988 is a critical-severity Command Injection (CWE-77) vulnerability in B-Link Bl-Wr9000 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2025-45988 affects multiple LB-LINK router models including BL-WR9000 V2.4.9, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5, BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7. The devices contain several instances of command injection in the bs_SetCmd function that accept unsanitized input through the cmd parameter, corresponding to CWE-77.

An unauthenticated attacker with network access can supply crafted values to the cmd parameter and execute arbitrary operating-system commands on the router. Successful exploitation yields full control over the device, enabling actions consistent with the CVSS 9.8 rating of complete confidentiality, integrity and availability impact.

Public disclosure of the issues appears in a technical write-up hosted on GitHub that demonstrates the injection vectors; no vendor advisory or firmware patch information is referenced in the available sources. The associated EPSS score has remained at 0.1330 without a documented rise from a lower baseline.

EU & UK References

Vulnerability details

Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain multiple command injection vulnerabilities via the cmd parameter in the bs_SetCmd function.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

b-link
bl-wr9000 firmware
2.4.9
b-link
bl-ac1900 firmware
1.0.2
b-link
bl-ac2100 az3 firmware
1.0.4
b-link
bl-x10 ac8 firmware
1.0.5
b-link
bl-lte300 firmware
1.2.3
b-link
bl-f1200 at1 firmware
1.0.0
b-link
bl-x26 ac8 firmware
1.2.8
b-link
blac450m ae4 firmware
4.0.0
b-link
bl-x26 da3 firmware
1.2.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References