Cyber Resilience

CVE-2025-9579

LowPublic PoC

Published: 28 August 2025

Published
28 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0098 77.2th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9579 is a low-severity Command Injection (CWE-77) vulnerability in B-Link Bl-X26 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-9579 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the LB-LINK BL-X26 router on firmware version 1.2.8. The flaw exists in an unknown function of the /goform/set_hidessid_cfg file within the HTTP Handler component, where manipulation of the "enable" argument triggers command injection.

Attackers can exploit this remotely with low privileges (PR:L), low attack complexity (AC:L), and no user interaction required (UI:N), as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Successful exploitation enables limited impacts on confidentiality, integrity, and availability, with a public proof-of-concept exploit available.

VulDB advisories and a GitHub repository detail the issue and provide a POC, but the vendor was contacted early without response, leaving no official patch or mitigation guidance available. Security practitioners should isolate affected devices and monitor for exploitation attempts.

EU & UK References

Vulnerability details

A weakness has been identified in LB-LINK BL-X26 1.2.8. The impacted element is an unknown function of the file /goform/set_hidessid_cfg of the component HTTP Handler. This manipulation of the argument enable causes os command injection. The attack can be initiated…

more

remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

OS command injection in public-facing HTTP handler (/goform/set_hidessid_cfg) on router enables exploitation of public-facing application (T1190), exploitation of remote services (T1210), indirect command execution (T1202), and Unix shell command execution (T1059.004).

CVEs Like This One

CVE-2025-9244Shared CWE-77, CWE-78
CVE-2025-7414Shared CWE-77, CWE-78
CVE-2026-3485Shared CWE-77, CWE-78
CVE-2025-10359Shared CWE-77, CWE-78
CVE-2025-0798Shared CWE-77, CWE-78
CVE-2025-8828Shared CWE-77, CWE-78
CVE-2025-10327Shared CWE-77, CWE-78
CVE-2025-14586Shared CWE-77, CWE-78
CVE-2025-11138Shared CWE-77, CWE-78
CVE-2025-9026Shared CWE-77, CWE-78

Affected Assets

b-link
bl-x26 firmware
1.2.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'enable' argument in /goform/set_hidessid_cfg to block OS command injection payloads before execution.

preventdetect

Boundary protection mechanisms such as WAF rules or HTTP request filtering can inspect and drop malicious inputs targeting the vulnerable endpoint from remote sources.

detect

Continuous monitoring of HTTP traffic and system call logs can identify anomalous command execution patterns stemming from the set_hidessid_cfg handler.

References