Cyber Resilience

CVE-2025-7574

High

Published: 14 July 2025

Published
14 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0117 79.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7574 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

A critical improper authentication vulnerability (CWE-287) affects the web interface of multiple LB-LINK router models including BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P, and BL-WR9000 up to firmware version 20250702. The flaw resides in the reboot and restore functions of /cgi-bin/lighttpd.cgi, where missing authentication checks allow remote manipulation of sensitive operations without valid credentials. It carries a CVSS 4.0 score of 8.9 and was publicly disclosed after the vendor failed to respond to early notification.

An unauthenticated attacker can exploit the issue over the network to execute arbitrary sensitive actions such as device reboot or configuration restore. The attack requires no user interaction or privileges and has a publicly available proof-of-concept, enabling remote takeover of affected devices with high impact on confidentiality, integrity, and availability.

The EPSS score remains flat at 0.0117 with no material increase since disclosure. Public references include detailed technical write-ups and exploit code on GitHub along with entries in Vuldb, but no vendor advisory or patch information has been issued.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. Affected is the function reboot/restore of the file /cgi-bin/lighttpd.cgi of the component Web Interface. The manipulation leads to improper…

more

authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct improper authentication flaw in public web interface (/cgi-bin/lighttpd.cgi) enables unauthenticated remote execution of sensitive operations on exposed router.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2024-57046Shared CWE-287
CVE-2026-1203Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2025-43995Shared CWE-287
CVE-2026-7876Shared CWE-287
CVE-2025-0637Shared CWE-287
CVE-2025-61882Shared CWE-287
CVE-2026-0589Shared CWE-287

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly identifies and restricts sensitive functions like reboot/restore that permit actions without identification or authentication, preventing remote unauthorized exploitation of the web interface.

prevent

Requires identification and authentication for non-organizational users accessing the router's web interface remotely, blocking privilege-less attackers from exploiting the improper authentication vulnerability.

prevent

Enforces approved authorizations in the web interface component, mitigating the improper authentication that allows arbitrary sensitive operations without privileges.

References