CVE-2025-9580
Published: 28 August 2025
Summary
CVE-2025-9580 is a low-severity Command Injection (CWE-77) vulnerability in Lb-Link Bl-X26 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-9580 is an OS command injection vulnerability in the LB-LINK BL-X26 router running firmware version 1.2.8. The issue resides in an unknown function within the /goform/set_blacklist endpoint of the HTTP Handler component, where the 'mac' argument can be manipulated to inject arbitrary operating system commands. This flaw is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.
The vulnerability can be exploited remotely by attackers who possess low privileges, such as authenticated users with access to the affected endpoint. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution on the underlying operating system within the scope of the web server's privileges.
Advisories from VulDB and a GitHub repository detail the issue, including a proof-of-concept exploit. No patches or vendor responses are available, as the manufacturer was notified early but did not reply. Security practitioners should isolate or replace affected devices.
The exploit has been publicly disclosed and may be actively used in the wild, increasing the risk for unpatched LB-LINK BL-X26 deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26132
Vulnerability details
A security vulnerability has been detected in LB-LINK BL-X26 1.2.8. This affects an unknown function of the file /goform/set_blacklist of the component HTTP Handler. Such manipulation of the argument mac leads to os command injection. The attack can be launched…
more
remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an OS command injection in a public-facing HTTP handler (/goform/set_blacklist) on a network device, enabling remote exploitation (T1190), indirect command execution via web form (T1202), and command/script interpreter abuse (T1059, likely Unix Shell).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'mac' input parameter to the /goform/set_blacklist endpoint, blocking the OS command injection vector.
Limits privileges of the HTTP handler process so that any injected commands cannot perform high-impact actions on the router.
Restricts the router to only required functionality, disabling or tightly constraining the vulnerable blacklist endpoint when not essential.