Which versions of LB-LINK BL-AC3600 are affected by CVE-2025-7564?

LB-LINK BL-AC3600 routers running firmware 1.0.22 contain hard-coded root credentials that allow any user with local access to the administrative panel to gain complete device control, potentially…

Is there a public PoC exploit available for CVE-2025-7564?

Yes, a public proof-of-concept exploit is available for CVE-2025-7564. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-7564?

Within 24 hours: Inventory all LB-LINK BL-AC3600 devices in your network and document their firmware versions and deployment locations. Within 7 days: For all devices running firmware 1.0.22, either isolate them from production networks, disable remote management access, or implement strict physical/administrative access controls limiting who can access the web interface. Within 30 days: Replace affected LB-LINK BL-AC3600 routers with alternative vendor equipment from manufacturers with active security support (e.g., ASUS, Netgear, TP-Link current models); prioritize replacement for internet-facing or guest-accessible devices.

LB-LINK BL-AC3600 CVE-2025-7564

Q: What is the CVSS score of CVE-2025-7564?

CVE-2025-7564 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2025-21303 HIGH

Use of Hard-coded Password (CWE-259)

2025-07-14 cna@vuldb.com

Authentication Bypass

7.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 29, 2026 - 01:17 vuln.today

v1 (cvss_changed)

Re-analysis Queued

Apr 29, 2026 - 01:11 vuln.today

cvss_changed

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.8 (HIGH) 7.1 (HIGH)

EUVD ID Assigned

Mar 16, 2026 - 09:43 euvd

EUVD-2025-21303

Analysis Generated

Mar 16, 2026 - 09:43 vuln.today

PoC Detected

Jul 17, 2025 - 17:46 vuln.today

Public exploit code

CVE Published

Jul 14, 2025 - 03:15 nvd

HIGH 7.8

DescriptionCVE.org

A vulnerability, which was classified as critical, has been found in LB-LINK BL-AC3600 1.0.22. Affected by this issue is some unknown functionality of the file /etc/shadow. The manipulation with the input root:blinkadmin leads to hard-coded credentials. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Hard-coded credentials in LB-LINK BL-AC3600 firmware 1.0.22 allow local authenticated attackers to escalate privileges to full system compromise. The router firmware contains static credentials 'root:blinkadmin' in /etc/shadow, enabling any user with device access to gain root-level control. Publicly available exploit code demonstrates practical exploitation (POC confirmed via GitHub). Despite CVSS 7.1 and low EPSS score (0.03%, 6th percentile), this represents a complete device takeover for home/SOHO networks where physical or admin panel access exists. Vendor (LB-LINK) unresponsive to disclosure attempts, indicating no patch is forthcoming.

Technical ContextAI

This vulnerability stems from CWE-259 (Use of Hard-coded Password), a critical authentication bypass flaw common in embedded device firmware. The affected product is the LB-LINK BL-AC3600 wireless router running firmware version 1.0.22 (CPE: cpe:2.3:o:lb-link:bl-ac3600_firmware:*:*:*:*:*:*:*:*). The /etc/shadow file, which should contain cryptographically hashed user credentials with unique salts, instead stores a predictable, static credential pair 'root:blinkadmin' accessible to anyone examining the firmware or gaining local shell access. This violates fundamental secure development practices for embedded Linux systems, where credentials should be randomized per device or derived from hardware-specific identifiers. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L) confirms this requires local access with low-privilege user credentials, but once exploited grants complete administrative control (VC:H/VI:H/VA:H) with no impact to connected systems (SC:N/SI:N/SA:N).

RemediationAI

No vendor-released patch identified at time of analysis - LB-LINK did not respond to early disclosure attempts, indicating no official fix is forthcoming for firmware 1.0.22. Primary recommendation: replace affected BL-AC3600 routers with alternative vendors demonstrating active security support and update practices. For environments where immediate replacement is infeasible, implement compensating controls with significant operational trade-offs: (1) Disable all remote management interfaces (TR-069, cloud management, UPnP admin) to prevent remote attackers from leveraging other vulnerabilities to gain the required local shell access - this breaks remote support capabilities; (2) Enable MAC address filtering and restrict administrative access to known-good devices only - adds management overhead and can be bypassed via MAC spoofing by attackers with network access; (3) Deploy network segmentation placing the vulnerable router behind a hardened upstream firewall, limiting blast radius of compromise - requires additional hardware investment; (4) Monitor /etc/shadow file integrity and router process lists for unauthorized modifications, though attackers with root can disable monitoring. Reference the public disclosure at https://github.com/waiwai24/0101/blob/main/CVEs/Blink/Hardcoded_Credentials_in_BL-AC3600_Routers.md for technical details. None of these mitigations address the root vulnerability; device replacement remains the only definitive solution.

CVE-2025-7564 vulnerability details – vuln.today

Back