CVE-2025-12386
Lifecycle Timeline
2DescriptionCVE.org
Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
AnalysisAI
Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point.
Technical ContextAI
Classified as CWE-306 (Missing Authentication for Critical Function). Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Affected ProductsAI
Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo
RemediationAI
Monitor vendor advisories for a patch.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today