EUVD-2025-18263
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 werediscovered to contain a command injection vulnerability via the mac parameter in the bs_SetMacBlack function.
Analysis
A critical unauthenticated remote command injection vulnerability exists in multiple Blink router models through the 'mac' parameter in the bs_SetMacBlack function, allowing attackers to execute arbitrary commands with full system privileges. Affected models include BL-WR9000 V2.4.9, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5, BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0, and BL-X26_DA3 v1.2.7. With a CVSS score of 9.8 and network-based attack vector requiring no authentication or user interaction, this vulnerability poses severe risk to any exposed router on the network.
Technical Context
The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating insufficient input validation in the bs_SetMacBlack function. The MAC address filtering feature in these Blink routers accepts user-supplied input via the 'mac' parameter without proper sanitization before passing it to system command execution functions. Blink routers typically run embedded Linux-based firmware and execute network filtering commands (likely iptables or similar) to implement MAC-based access control. The lack of input validation allows attackers to inject shell metacharacters and arbitrary command sequences into what should be a simple MAC address parameter, resulting in command injection at the system privilege level. The affected CPE identifiers span multiple product lines and firmware versions, indicating a systemic validation failure across Blink's router product portfolio.
Affected Products
- product: Blink BL-WR9000; affected_versions: ['V2.4.9']; type: WiFi Router - product: Blink BL-AC2100_AZ3; affected_versions: ['V1.0.4']; type: Wireless Router - product: Blink BL-X10_AC8; affected_versions: ['v1.0.5']; type: AC WiFi Router - product: Blink BL-LTE300; affected_versions: ['v1.2.3']; type: LTE Router - product: Blink BL-F1200_AT1; affected_versions: ['v1.0.0']; type: WiFi Router - product: Blink BL-X26_AC8; affected_versions: ['v1.2.8']; type: AC WiFi Router - product: Blink BLAC450M_AE4; affected_versions: ['v4.0.0']; type: Wireless Router - product: Blink BL-X26_DA3; affected_versions: ['v1.2.7']; type: WiFi Router
Remediation
IMMEDIATE ACTIONS: (1) Identify and isolate all affected Blink routers from the network or restrict WAN access via firewall rules to trusted networks only. (2) Monitor for indicators of compromise including unexpected processes, outbound connections, and system log anomalies. VENDOR PATCHING: Contact Blink support or check the vendor advisory portal for patched firmware versions for each affected model—patch availability is not explicitly detailed in provided references and must be verified through official Blink channels. WORKAROUNDS: (1) Disable remote management/WAN access to the router's web interface if not required for operations. (2) Implement network segmentation to prevent untrusted hosts from reaching the router management interface. (3) Restrict access to the router's web interface to specific trusted IP addresses via firewall ACLs. LONG-TERM: Replace affected devices with patched versions once available, or transition to alternative router vendors with stronger input validation practices.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today