Cyber Resilience

CVE-2025-57685

High

Published: 22 September 2025

Published
22 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 55.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57685 is a high-severity Command Injection (CWE-77) vulnerability in Bl Ac2100 (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

LB-Link routers including the BL-AC2100_AZ3 V1.0.4, BL-WR4000 v2.5.0, BL-WR9000_AE4 v2.4.9, BL-AC1900_AZ2 v1.0.2, BL-X26_AC8 v1.2.8, and BL-LTE300_DA4 V1.2.3 models contain an unauthorized command-injection flaw. The issue resides in the /goform/set_serial_cfg interface and stems from insufficient access controls that permit unauthenticated attackers to inject and execute operating-system commands, resulting in full device compromise.

An attacker with adjacent-network access can reach the affected endpoint without credentials or user interaction, obtain root-level privileges, and run arbitrary commands on the device. The vulnerability carries a CVSS 3.1 score of 8.8 and is classified under CWE-77.

The associated EPSS score began at a low baseline, rose materially to a peak of 0.0145 on 2025-12-11, and has since declined to 0.0031, indicating a temporary increase in exploitation interest after public disclosure. Public references include the vendor sites and a technical write-up that reproduces the issue but do not describe official patches or mitigation steps.

EU & UK References

Vulnerability details

The LB-Link routers, including the BL-AC2100_AZ3 V1.0.4, BL-WR4000 v2.5.0, BL-WR9000_AE4 v2.4.9, BL-AC1900_AZ2 v1.0.2, BL-X26_AC8 v1.2.8, and BL-LTE300_DA4 V1.2.3 models, are vulnerable to unauthorized command injection. Attackers can exploit this vulnerability by accessing the /goform/set_serial_cfg interface to gain the highest level…

more

of device privileges without authorization, enabling them to remotely execute malicious commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct unauthenticated command injection on network device web interface enables remote arbitrary command execution (RCE).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-67397Shared CWE-77
CVE-2024-55030Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2025-9223Shared CWE-77
CVE-2026-8431Shared CWE-77
CVE-2026-44869Shared CWE-77
CVE-2025-70093Shared CWE-77
CVE-2025-0593Shared CWE-77
CVE-2026-34259Shared CWE-77
CVE-2026-44866Shared CWE-77

Affected Assets

Bl Ac2100
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Access Enforcement requires the /goform/set_serial_cfg interface to check and enforce authorizations, preventing unauthorized privilege escalation and command execution.

prevent

Information Input Validation sanitizes user inputs to the vulnerable interface, directly blocking command injection (CWE-77) exploits.

prevent

Permitted Actions Without Identification or Authentication explicitly limits unauthenticated actions on the interface to only non-harmful ones, requiring authentication for privileged command execution.

References