CVE-2025-57685
Published: 22 September 2025
Summary
CVE-2025-57685 is a high-severity Command Injection (CWE-77) vulnerability in Bl Ac2100 (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
LB-Link routers including the BL-AC2100_AZ3 V1.0.4, BL-WR4000 v2.5.0, BL-WR9000_AE4 v2.4.9, BL-AC1900_AZ2 v1.0.2, BL-X26_AC8 v1.2.8, and BL-LTE300_DA4 V1.2.3 models contain an unauthorized command-injection flaw. The issue resides in the /goform/set_serial_cfg interface and stems from insufficient access controls that permit unauthenticated attackers to inject and execute operating-system commands, resulting in full device compromise.
An attacker with adjacent-network access can reach the affected endpoint without credentials or user interaction, obtain root-level privileges, and run arbitrary commands on the device. The vulnerability carries a CVSS 3.1 score of 8.8 and is classified under CWE-77.
The associated EPSS score began at a low baseline, rose materially to a peak of 0.0145 on 2025-12-11, and has since declined to 0.0031, indicating a temporary increase in exploitation interest after public disclosure. Public references include the vendor sites and a technical write-up that reproduces the issue but do not describe official patches or mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-30735
Vulnerability details
The LB-Link routers, including the BL-AC2100_AZ3 V1.0.4, BL-WR4000 v2.5.0, BL-WR9000_AE4 v2.4.9, BL-AC1900_AZ2 v1.0.2, BL-X26_AC8 v1.2.8, and BL-LTE300_DA4 V1.2.3 models, are vulnerable to unauthorized command injection. Attackers can exploit this vulnerability by accessing the /goform/set_serial_cfg interface to gain the highest level…
more
of device privileges without authorization, enabling them to remotely execute malicious commands.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated command injection on network device web interface enables remote arbitrary command execution (RCE).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Access Enforcement requires the /goform/set_serial_cfg interface to check and enforce authorizations, preventing unauthorized privilege escalation and command execution.
Information Input Validation sanitizes user inputs to the vulnerable interface, directly blocking command injection (CWE-77) exploits.
Permitted Actions Without Identification or Authentication explicitly limits unauthenticated actions on the interface to only non-harmful ones, requiring authentication for privileged command execution.