CRITICAL🇵🇱 Wersja polska

CVE-2025-45490

CVSS 9.8v3.1pub. 2025-05-06upd. 2025-05-13

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the password parameter.

🤖 AI Analysis
How it works

The attacker sends a specially crafted request containing malicious system commands embedded in the password parameter handled by the runtime.ddnsStatus function responsible for Dynamic DNS handling. The device does not properly filter input data passed to the system shell interpreter, allowing for injection and execution of arbitrary commands in the context of the router's operating system. The vulnerability is remotely accessible, requires no authentication or user interaction, and the attack vector is network-based (AV:N/AC:L/PR:N/UI:N).

Impact

An attacker can gain full control of the device — read confidential configuration data, modify network settings, and also use the router as an entry point for further attacks on the internal network (lateral movement).

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. Until an update is obtained, it is recommended to restrict access to the router's administrative interface only to trusted hosts and disable the Dynamic DNS (DynDNS) function if it is not actively used.

Who is affected

Linksys E5600 with firmware version v1.1.0.26

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linksys E5600

    HW
    Linksys
    wszystkie wersje
  • Linksys E5600 Firmware

    OS
    Linksys
    1.1.0.26
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-29228CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 — parametr mc.ip funkcji macClone

CVE-2025-29229CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 — funkcja ddnsStatus

CVE-2025-45488CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 via parametr mailex funkcji DynDNS

CVE-2025-45487CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 — funkcja runtime.InternetConnection

CVE-2025-45489CRITICAL9.8PL ✓ten sam produkt

Command injection w Linksys E5600 via parametr hostname (DynDNS)