CVE-2025-9580

MediumPublic PoC

Published: 28 August 2025

Published

28 August 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0058 69.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9580 is a medium-severity Command Injection (CWE-77) vulnerability in Lb-Link Bl-X26 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

T1202 Indirect Command Execution Stealth

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

attack.mitre.org →

Why these techniques?

The vulnerability is an OS command injection in a public-facing HTTP handler (/goform/set_blacklist) on a network device, enabling remote exploitation (T1190), indirect command execution via web form (T1202), and command/script interpreter abuse (T1059, likely Unix Shell).

NVD Description

A security vulnerability has been detected in LB-LINK BL-X26 1.2.8. This affects an unknown function of the file /goform/set_blacklist of the component HTTP Handler. Such manipulation of the argument mac leads to os command injection. The attack can be launched…

remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2025-9580 is an OS command injection vulnerability in the LB-LINK BL-X26 router running firmware version 1.2.8. The issue resides in an unknown function within the /goform/set_blacklist endpoint of the HTTP Handler component, where the 'mac' argument can be manipulated to inject arbitrary operating system commands. This flaw is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.

The vulnerability can be exploited remotely by attackers who possess low privileges, such as authenticated users with access to the affected endpoint. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution on the underlying operating system within the scope of the web server's privileges.

Advisories from VulDB and a GitHub repository detail the issue, including a proof-of-concept exploit. No patches or vendor responses are available, as the manufacturer was notified early but did not reply. Security practitioners should isolate or replace affected devices.

The exploit has been publicly disclosed and may be actively used in the wild, increasing the risk for unpatched LB-LINK BL-X26 deployments.

Details

CWE(s): CWE-77 CWE-78

Affected Products

lb-link

bl-x26 firmware

1.2.8

CVEs Like This One

CVE-2025-1610Same vendor: Lb-Link

CVE-2025-1609Same vendor: Lb-Link

CVE-2025-1608Same vendor: Lb-Link

CVE-2026-4228Same vendor: Lb-Link

CVE-2025-7788Shared CWE-77, CWE-78

CVE-2025-8818Shared CWE-77, CWE-78

CVE-2026-4226Same vendor: Lb-Link

CVE-2025-10773Same vendor: Lb-Link

CVE-2026-4227Same vendor: Lb-Link

CVE-2025-1676Shared CWE-77, CWE-78

References

https://github.com/lin-3-start/lin-cve/blob/main/B-Link%20X26%20V1.2.8-2/B-Link%20X26%20V1.2.8.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/lin-3-start/lin-cve/blob/main/B-Link%20X26%20V1.2.8-2/B-Link%20X26%20V1.2.8.md#3poc
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.321693
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.321693
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.636083
Third Party Advisory, VDB Entry · cna@vuldb.com
https://github.com/lin-3-start/lin-cve/blob/main/B-Link%20X26%20V1.2.8-2/B-Link%20X26%20V1.2.8.md
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/lin-3-start/lin-cve/blob/main/B-Link%20X26%20V1.2.8-2/B-Link%20X26%20V1.2.8.md#3poc
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0