Primary

Context

LB-Link BL-X26 Command Injection Vulnerability in HTTP Handler

Vulnerability

A command injection vulnerability has been identified in the LB-Link BL-X26 router, specifically in version 1.2.8. The issue arises in the HTTP handler, within the file '/goform/set_blacklist'. Manipulating the 'mac' argument allows for OS command injection, which can be executed remotely. This vulnerability requires authentication to exploit.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to '/goform/set_blacklist' with a crafted 'mac' parameter that includes the desired command. The 'enable' parameter must also be set. This can be done using a web browser or a tool like curl, ensuring that the request includes the necessary cookies for authentication.

Added: Aug 28, 2025, 7:19 PM

Updated: Aug 28, 2025, 8:22 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

6.2

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

6.2

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

LB-Link BL-X26 Command Injection Vulnerability in HTTP Handler

Vulnerability

Impact

Reproduction

Affected Products

LB-LINK BL-X26

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating