CVE-2025-9579
MEDIUMCVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
A weakness has been identified in LB-LINK BL-X26 1.2.8. The impacted element is an unknown function of the file /goform/set_hidessid_cfg of the component HTTP Handler. This manipulation of the argument enable causes os command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
A weakness has been identified in LB-LINK BL-X26 1.2.8. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical Context
This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. A weakness has been identified in LB-LINK BL-X26 1.2.8. The impacted element is an unknown function of the file /goform/set_hidessid_cfg of the component HTTP Handler. This manipulation of the argument enable causes os command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. Affected products include: B-Link Bl-X26 Firmware.
Affected Products
B-Link Bl-X26 Firmware.
Remediation
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today