Primary

Context

LB-LINK BL-X26 Command Injection Vulnerability in HTTP Handler

Vulnerability

A command injection vulnerability has been identified in the LB-LINK BL-X26 router, specifically in version 1.2.8. The issue arises within an unknown function of the file '/goform/set_hidessid_cfg', part of the HTTP handler component. This vulnerability allows for remote exploitation by manipulating the 'enable' argument, leading to unauthorized command execution on the device.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected router.

Reproduction

To reproduce this vulnerability, send a POST request to '/goform/set_hidessid_cfg' with the 'type' parameter set to 'sethide2' and the 'enable' parameter containing the command to be executed, such as 'ls>/etc_ro/web/3.txt'. Include a valid 'user' cookie with the value 'admin' to authenticate the request.

Added: Aug 28, 2025, 7:20 PM

Updated: Aug 28, 2025, 7:20 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

6.2

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

6.2

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

LB-LINK BL-X26 Command Injection Vulnerability in HTTP Handler

Vulnerability

Impact

Reproduction

Affected Products

LB-LINK BL-X26

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating