Cyber Resilience

CVE-2025-9146

HighPublic PoC

Published: 19 August 2025

Published
19 August 2025
Modified
12 September 2025
KEV Added
Patch
CVSS Score v4 7.5 CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 56.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9146 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Linksys E5600 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Weaken Encryption (T1600); ranked in the top 43.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2025-9146 is a vulnerability in the Linksys E5600 router running firmware version 1.1.0.26. The flaw resides in the verify_gemtek_header function within the checkFw.sh script of the Firmware Handler component. It enables the use of a risky cryptographic algorithm, classified under CWE-310 (Cryptographic Issues) and CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). The issue carries a CVSS v3.1 base score of 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-08-19.

The vulnerability can be exploited remotely by attackers who possess high privileges (PR:H) on the target system, though it demands high attack complexity (AC:H) and is described as difficult to exploit. Successful exploitation grants high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing full compromise of the device's firmware handling process, such as improper validation during updates.

Advisories from VulDB detail the issue but note that the vendor was contacted early without any response. No patches or official mitigations are available from Linksys, as referenced on their site and in the VulDB entries. Additional technical analysis appears in a GitHub repository documenting IoT firmware updates for the Linksys E5600.

EU & UK References

Vulnerability details

A flaw has been found in Linksys E5600 1.1.0.26. The affected element is the function verify_gemtek_header of the file checkFw.sh of the component Firmware Handler. Executing manipulation can lead to risky cryptographic algorithm. The attack may be launched remotely. The…

more

attack requires a high level of complexity. The exploitability is described as difficult. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1600 Weaken Encryption Defense Impairment
Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications.
Why these techniques?

The vulnerability uses a weak CRC integrity check (CWE-327, risky cryptographic algorithm) in the firmware update process, allowing crafted firmware uploads for code execution or DoS, directly facilitating T1600 (Weaken Encryption) to bypass integrity verification as mapped by VulDB.

CVEs Like This One

CVE-2025-29228Same product: Linksys E5600
CVE-2025-29230Same product: Linksys E5600
CVE-2025-29229Same product: Linksys E5600
CVE-2025-44654Same vendor: Linksys
CVE-2026-5588Shared CWE-327
CVE-2025-8832Same vendor: Linksys
CVE-2024-57225Same vendor: Linksys
CVE-2025-8818Same vendor: Linksys
CVE-2024-57536Same vendor: Linksys
CVE-2025-60691Same vendor: Linksys

Affected Assets

linksys
e5600 firmware
1.1.0.26

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates approved cryptographic algorithms and modules, directly eliminating the risky algorithm implemented in verify_gemtek_header.

prevent

Requires cryptographic verification of firmware integrity, preventing acceptance of updates validated by the flawed checkFw.sh function.

prevent

Restricts who can perform firmware changes, limiting the high-privilege remote attackers needed to reach the vulnerable verification code.

References