Overview
A high-severity stack-based buffer overflow vulnerability, identified as CVE-2025-60690, has been discovered in Linksys E1200 v2 routers running firmware version E1200_v2.0.11.001_us. This flaw allows unauthenticated remote attackers to potentially execute arbitrary code or cause a denial-of-service (DoS) condition on affected devices.
Technical Details
The vulnerability resides in the get_merge_ipaddr function within the httpd binary. This function is responsible for concatenating up to four user-supplied CGI parameters (named <parameter>_0 through <parameter>_3) into a fixed-size buffer. Critically, the function lacks proper bounds checking during the concatenation process. By sending specially crafted HTTP requests with overly long parameter values, an attacker can overflow this buffer on the stack.
This stack overflow can overwrite critical data on the stack, potentially allowing the attacker to redirect program execution to arbitrary code under their control, leading to remote code execution (RCE). Alternatively, the overflow could corrupt data sufficiently to cause the router to crash, resulting in a denial-of-service (DoS) condition.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-60690 is 8.8 (HIGH).
- Attack Vector (AV): Network (N) – The vulnerability is exploitable over the network.
- Attack Complexity (AC): Low (L) – The attack is relatively easy to perform.
- Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
- User Interaction (UI): None (N) – No user interaction is required to exploit the vulnerability.
- Scope (S): Unchanged (U) – An exploited vulnerability can only affect resources managed by the same security authority.
- Confidentiality Impact (C): High (H) – There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.
- Integrity Impact (I): High (H) – There is total loss of integrity, resulting in a complete loss of system protection. The attacker has complete control over the impacted component.
- Availability Impact (A): High (H) – There is total loss of availability, resulting in the attacker can fully disrupt/disable the impacted component.
Possible Impact
Successful exploitation of CVE-2025-60690 can have severe consequences:
- Remote Code Execution (RCE): An attacker could execute arbitrary code on the router, potentially gaining full control of the device. This can be used to install malware, intercept network traffic, or use the router as part of a botnet.
- Denial of Service (DoS): An attacker could crash the router, disrupting internet connectivity for all connected devices.
- Data Theft: If successful RCE, attackers could be able to access and steal sensitive information such as credentials, user data, and other confidential information stored on, or passing through the router.
Mitigation and Patch Steps
Unfortunately, at the time of this writing (2024-01-26), there is no official patch available from Linksys for CVE-2025-60690. We strongly advise the following mitigation steps:
- Discontinue Use: The most effective mitigation is to discontinue use of the Linksys E1200 v2 router until a security patch is released. Consider replacing it with a more secure router from a vendor with a better history of security updates.
- Monitor Linksys Website: Regularly check the Linksys website for security advisories and firmware updates related to the E1200 v2.
- Network Segmentation: If discontinuing use is not possible, segment your network to isolate the E1200 v2 from critical systems.
Important: Keep an eye on security news and advisories for any updates regarding a patch or workaround for this vulnerability. Contact Linksys support directly for inquiries about patch availability.
