CRITICAL🇵🇱 Wersja polska

CVE-2025-45489

CVSS 9.8v3.1pub. 2025-05-06upd. 2025-05-13

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the hostname parameter.

🤖 AI Analysis
How it works

The vulnerability results from insufficient validation and sanitization of input data passed through the hostname parameter to the runtime.ddnsStatus function handling the DynDNS service. An attacker can inject malicious system commands into this parameter, which will be executed directly by the device's operating system. The attack vector is network-based, requires no authentication or user interaction, making exploitation particularly straightforward.

Impact

Successful exploitation of the vulnerability allows an attacker to gain full control over the device — execute arbitrary commands with system privileges, read and modify configuration, and potentially use the router as an entry point to the local network.

Mitigation & patch

Apply patches available from the manufacturer according to the references. As interim measures, it is recommended to restrict access to the device management interface to trusted hosts only and disable the DynDNS function if not in use.

Who is affected

Linksys E5600 with firmware version v1.1.0.26

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linksys E5600

    HW
    Linksys
    wszystkie wersje
  • Linksys E5600 Firmware

    OS
    Linksys
    1.1.0.26
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-29228CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 — parametr mc.ip funkcji macClone

CVE-2025-29229CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 — funkcja ddnsStatus

CVE-2025-45488CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 via parametr mailex funkcji DynDNS

CVE-2025-45487CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 — funkcja runtime.InternetConnection

CVE-2025-45490CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 via parametr password funkcji DynDNS