Bl Ac3600 Firmware
Monthly
A vulnerability, which was classified as critical, was found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function geteasycfg of the file /cgi-bin/lighttpd.cgi of the component Web Management Interface. The manipulation of the argument Password leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-7564 is a critical authentication bypass vulnerability in LB-LINK BL-AC3600 firmware version 1.0.22 that exposes hard-coded credentials (root:blinkadmin) in the /etc/shadow file. An authenticated local attacker can exploit this to gain full system compromise with high impact on confidentiality, integrity, and availability. Public exploitation code exists and the vendor has not responded to disclosure attempts, elevating real-world risk despite requiring local access prerequisites.
A vulnerability, which was classified as critical, was found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function geteasycfg of the file /cgi-bin/lighttpd.cgi of the component Web Management Interface. The manipulation of the argument Password leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-7564 is a critical authentication bypass vulnerability in LB-LINK BL-AC3600 firmware version 1.0.22 that exposes hard-coded credentials (root:blinkadmin) in the /etc/shadow file. An authenticated local attacker can exploit this to gain full system compromise with high impact on confidentiality, integrity, and availability. Public exploitation code exists and the vendor has not responded to disclosure attempts, elevating real-world risk despite requiring local access prerequisites.