Skip to main content

E5600 Firmware CVE-2025-45491

CRITICAL
Command Injection (CWE-77)
2025-05-06 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:40 vuln.today
PoC Detected
May 13, 2025 - 20:19 vuln.today
Public exploit code
CVE Published
May 06, 2025 - 16:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the username parameter.

AnalysisAI

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the username parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.9%.

Technical ContextAI

This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the username parameter. Affected products include: Linksys E5600 Firmware.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.

CVE-2025-45488 CRITICAL POC
9.8 May 06

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS fun

CVE-2025-45487 CRITICAL POC
9.8 May 06

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.InternetConnection fu

CVE-2025-45490 CRITICAL POC
9.8 May 06

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS fun

CVE-2025-45489 CRITICAL POC
9.8 May 06

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS fun

CVE-2024-33789 CRITICAL POC
9.8 May 03

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability via the ipurl parameter at /API/info

CVE-2024-33788 HIGH POC
8.0 May 06

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability via the PinCode parameter at /API/in

CVE-2025-29230 HIGH
8.6 Mar 21

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.emailReg function. Ra

CVE-2025-29227 MEDIUM
6.3 Mar 21

In Linksys E5600 V1.1.0.26, the \usr\share\lua\runtime.lua file contains a command injection vulnerability in the runtim

CVE-2025-29226 MEDIUM
6.3 Mar 21

In Linksys E5600 V1.1.0.26, the \usr\share\lua\runtime.lua file contains a command injection vulnerability in the runtim

CVE-2025-29223 MEDIUM
6.3 Mar 21

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability via the pt parameter in the traceRou

CVE-2025-9146 HIGH POC
7.5 Aug 19

A flaw has been found in Linksys E5600 1.1.0.26. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita

CVE-2025-22997 MEDIUM POC
4.8 Jan 15

A stored cross-site scripting (XSS) vulnerability in the prf_table_content component of Linksys E5600 Router Ver. Rated

Share

CVE-2025-45491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy