CVE-2025-60691
Published: 13 November 2025
Summary
CVE-2025-60691 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Linksys E1200 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow in the httpd binary by requiring timely patching of the vulnerable firmware.
Requires validation and bounds checking of user-supplied 'url' CGI parameter input to prevent overflow into single-byte stack buffers via sprintf.
Implements memory protections like stack canaries or non-executable stacks to mitigate arbitrary code execution from the buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a stack-based buffer overflow in the unauthenticated httpd service of a public-facing router, enabling remote code execution or DoS via crafted HTTP requests, directly mapping to exploitation of public-facing applications.
NVD Description
A stack-based buffer overflow exists in the httpd binary of Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The apply_cgi and block_cgi functions copy user-supplied input from the "url" CGI parameter into stack buffers (v36, v29) using sprintf without bounds checking. Because…
more
these buffers are allocated as single-byte variables, any non-empty input will trigger a buffer overflow. Remote attackers can exploit this vulnerability via crafted HTTP requests to execute arbitrary code or cause denial of service without authentication.
Deeper analysisAI
CVE-2025-60691 is a stack-based buffer overflow vulnerability (CWE-121) in the httpd binary of Linksys E1200 v2 routers running firmware version E1200_v2.0.11.001_us.tar.gz. The issue affects the apply_cgi and block_cgi functions, which copy user-supplied input from the "url" CGI parameter into stack buffers (v36 and v29) using sprintf without bounds checking. These buffers are allocated as single-byte variables, so any non-empty input triggers an overflow.
Remote attackers on an adjacent network can exploit this vulnerability by sending crafted HTTP requests to the affected router, requiring no authentication (PR:N) and low complexity (AC:L). Successful exploitation allows arbitrary code execution or denial of service, with high impact on confidentiality, integrity, and availability (CVSSv3.1 score of 8.8: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
References include vendor sites at linksys.com and www.linksys.com, along with a detailed analysis at https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60691.md. No specific mitigation or patch details are provided in the CVE description.
Details
- CWE(s)