EUVD-2025-18264
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain a command injection vulnerability via the bs_SetSSIDHide function.
Analysis
Critical remote command injection vulnerability affecting multiple Blink router models through the bs_SetSSIDHide function, allowing unauthenticated attackers to execute arbitrary commands with full system compromise. The vulnerability impacts 8 distinct product lines across versions ranging from v1.0.0 to v4.0.0, with a CVSS score of 9.8 indicating severe severity due to network accessibility, low attack complexity, and no privilege requirements. This represents an actively exploitable flaw affecting home and small business network infrastructure with potential for widespread compromise.
Technical Context
The vulnerability exists in CWE-77 (Improper Neutralization of Special Elements used in a Command - 'Command Injection'), indicating insufficient input validation in the bs_SetSSIDHide function parameter handling. This function likely processes SSID (Service Set Identifier) visibility settings in the router's wireless configuration subsystem. The affected routers are consumer-grade Wi-Fi access points/routers that expose this functionality through web management interfaces or UPnP services without proper sanitization of user inputs before passing them to shell command execution contexts. The command injection vector suggests the backend implementation concatenates unsanitized user input directly into system calls (likely via system(), exec(), or similar functions) rather than using parameterized APIs or safe argument passing mechanisms.
Affected Products
- vendor: Blink; model: BL-WR9000; version: V2.4.9; type: Router - vendor: Blink; model: BL-AC2100_AZ3; version: V1.0.4; type: Router - vendor: Blink; model: BL-X10_AC8; version: v1.0.5; type: Router - vendor: Blink; model: BL-LTE300; version: v1.2.3; type: LTE Router - vendor: Blink; model: BL-F1200_AT1; version: v1.0.0; type: Router - vendor: Blink; model: BL-X26_AC8; version: v1.2.8; type: Router - vendor: Blink; model: BLAC450M_AE4; version: v4.0.0; type: Router - vendor: Blink; model: BL-X26_DA3; version: v1.2.7; type: Router
Remediation
Immediate remediation steps: (1) Contact Blink support and check official security advisories for patched firmware versions for each affected model - patch versions are critical and model-specific; (2) If patches are available, perform immediate firmware updates through the router's management interface or via manufacturer's firmware update tool; (3) If patches are unavailable, implement network-level mitigations: restrict management interface access via firewall rules to trusted IP ranges only, disable remote management features (typically in web interface under Advanced settings), and ensure routers are not exposed to WAN access; (4) Monitor network traffic for exploitation attempts (command injection patterns in HTTP parameters to /cgi-bin/luci endpoints or similar); (5) Establish a firmware update schedule for all consumer networking equipment - set calendar reminders to check for updates monthly. Note: Patch versions were not disclosed in the CVE description and must be obtained directly from Blink security advisories.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today