CVE-2025-9579
Published: 28 August 2025
Summary
CVE-2025-9579 is a low-severity Command Injection (CWE-77) vulnerability in B-Link Bl-X26 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2025-9579 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the LB-LINK BL-X26 router on firmware version 1.2.8. The flaw exists in an unknown function of the /goform/set_hidessid_cfg file within the HTTP Handler component, where manipulation of the "enable" argument triggers command injection.
Attackers can exploit this remotely with low privileges (PR:L), low attack complexity (AC:L), and no user interaction required (UI:N), as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Successful exploitation enables limited impacts on confidentiality, integrity, and availability, with a public proof-of-concept exploit available.
VulDB advisories and a GitHub repository detail the issue and provide a POC, but the vendor was contacted early without response, leaving no official patch or mitigation guidance available. Security practitioners should isolate affected devices and monitor for exploitation attempts.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26137
Vulnerability details
A weakness has been identified in LB-LINK BL-X26 1.2.8. The impacted element is an unknown function of the file /goform/set_hidessid_cfg of the component HTTP Handler. This manipulation of the argument enable causes os command injection. The attack can be initiated…
more
remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing HTTP handler (/goform/set_hidessid_cfg) on router enables exploitation of public-facing application (T1190), exploitation of remote services (T1210), indirect command execution (T1202), and Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'enable' argument in /goform/set_hidessid_cfg to block OS command injection payloads before execution.
Boundary protection mechanisms such as WAF rules or HTTP request filtering can inspect and drop malicious inputs targeting the vulnerable endpoint from remote sources.
Continuous monitoring of HTTP traffic and system call logs can identify anomalous command execution patterns stemming from the set_hidessid_cfg handler.