Skip to main content

Linksys EA6350 CVE-2025-44657

LOW
Improper Access Control (CWE-284)
2025-07-21 cve@mitre.org
3.9
CVSS 3.1 · Vendor: mitre

Severity by source

Vendor (mitre) PRIMARY
3.9 LOW
AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

FTP is a network service making AV:N appropriate; PR:L reflects required credentials; UI:N as chroot escape needs no victim interaction beyond authentication.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:23 vuln.today

DescriptionCVE.org

In Linksys EA6350 V2.1.2, the chroot_local_user option is enabled in the dynamically generated vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks.

AnalysisAI

Improper access control in Linksys EA6350 firmware 2.1.2 exposes the embedded vsftpd FTP service via a misconfigured chroot_local_user directive in a dynamically generated configuration file, allowing authenticated FTP users to traverse outside their intended jail and access sensitive system files. Affected users of this specific firmware version could face local privilege escalation or use of the device as a network pivot point for lateral movement into attached internal segments. No public exploit code has been confirmed, EPSS sits at 0.28% (20th percentile), and the device carries no CISA KEV listing, collectively suggesting limited real-world threat activity at this time.

Technical ContextAI

The affected product is the Linksys EA6350 wireless router running firmware version 2.1.2, identified by CPE cpe:2.3:o:linksys:ea6350_firmware:2.1.2:*:*:*:*:*:*:*. The router embeds vsftpd (Very Secure FTP Daemon) and generates its configuration file dynamically at runtime. In vsftpd, the chroot_local_user directive is designed to confine authenticated local users to their home directories; however, when this option is improperly enabled alongside a writable chroot directory without the compensating allow_writeable_chroot safeguard, vsftpd's chroot jail can be escaped or rendered ineffective. The root cause maps to CWE-284 (Improper Access Control): the dynamically generated vsftpd.conf fails to enforce the intended filesystem boundary, meaning the access control mechanism is present but incorrectly implemented. This allows a user with FTP credentials to traverse the filesystem, potentially reaching sensitive router configuration, credentials, or kernel interfaces. Consumer routers like the EA6350 often run BusyBox-based Linux environments where system files, startup scripts, and stored credentials can have broad read permissions once the chroot is broken.

RemediationAI

No vendor-released patch has been identified at time of analysis; the EA6350 is an older consumer device and Linksys may no longer issue firmware updates for this model. As an immediate mitigation, disable the FTP service on the EA6350 entirely via the router's administration interface - this eliminates the attack vector with no meaningful loss of functionality for most deployments, since FTP is rarely required for home or SMB routing. If FTP must remain enabled, restrict FTP access to trusted internal IP ranges only using the router's firewall or access-control rules, preventing external or untrusted-LAN hosts from authenticating. Administrators should also audit any FTP credentials stored on the device and rotate them, as the chroot misconfiguration may have allowed prior access to stored credential files. Upgrading to a supported Linksys or alternative router model with current firmware is the definitive long-term fix. The researcher's findings are documented at https://gist.github.com/TPCchecker/7839fbd329ebd2f9f6b105c4926d4b0c for additional technical context.

Share

CVE-2025-44657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy