CRITICAL🇵🇱 Wersja polska

CVE-2025-45488

CVSS 9.8v3.1pub. 2025-05-06upd. 2025-05-13

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the mailex parameter.

🤖 AI Analysis
How it works

An attacker sends a crafted request to the runtime.ddnsStatus function that handles DynDNS configuration, injecting malicious system commands via the mailex parameter. The device does not properly validate the value of this parameter before passing it to the command interpreter, allowing arbitrary commands to be executed in the context of the router's operating system. The attack requires no privileges or user interaction.

Impact

An attacker can gain full control over the device by executing arbitrary system commands with the privileges of the process handling the request — which may lead to router compromise, network traffic interception, modification of network configuration, or use of the device as an entry point to the internal network.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until updates are applied, it is recommended to restrict access to the router's administrative panel exclusively to trusted IP addresses and disable the DynDNS function if it is not being used.

Who is affected

Linksys E5600 with firmware version v1.1.0.26

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linksys E5600

    HW
    Linksys
    wszystkie wersje
  • Linksys E5600 Firmware

    OS
    Linksys
    1.1.0.26
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-29228CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 — parametr mc.ip funkcji macClone

CVE-2025-29229CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 — funkcja ddnsStatus

CVE-2025-45489CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 via parametr hostname (DynDNS)

CVE-2025-45487CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 — funkcja runtime.InternetConnection

CVE-2025-45490CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 via parametr password funkcji DynDNS