CVE-2025-45491 is a critical command injection vulnerability identified in the Linksys E5600 router, specifically version 1.1.0.26. The vulnerability resides in the runtime.ddnsStatus DynDNS function, where the username parameter is improperly sanitized, allowing an attacker to inject arbitrary commands. This flaw corresponds to CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that the input is not correctly validated before being passed to the operating system shell. The CVSS v3.1 base score of 9.8 reflects the severity and ease of exploitation: the attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it highly exploitable remotely. Successful exploitation can lead to full compromise of the device, including complete control over the router’s operating system, enabling attackers to execute arbitrary commands, disrupt network availability, intercept or manipulate traffic, and pivot to internal networks. The vulnerability was published on May 6, 2025, with no known exploits in the wild at the time of disclosure. No official patches or mitigation links have been provided yet, increasing the urgency for affected users to take protective measures. The Linksys E5600 is a consumer-grade router commonly used in home and small office environments, but its compromise can have broader implications if used in business or critical infrastructure contexts. The vulnerability’s presence in the DynDNS function suggests that attackers might exploit dynamic DNS update mechanisms to inject commands, potentially bypassing some network perimeter defenses.

For European organizations, this vulnerability poses a significant risk, especially for small and medium enterprises (SMEs) and home office setups relying on Linksys E5600 routers. Exploitation could lead to unauthorized access to internal networks, data exfiltration, and disruption of business operations. Given the router’s role as a gateway device, attackers gaining control can intercept sensitive communications, manipulate DNS queries, and launch further attacks against internal systems. The critical severity and remote exploitability mean that attackers can compromise devices without authentication or user interaction, increasing the likelihood of widespread exploitation if automated scanning and exploitation tools emerge. In sectors with stringent data protection requirements, such as finance, healthcare, and government, this vulnerability could lead to breaches of personal data and regulatory non-compliance under GDPR. The absence of patches at disclosure time exacerbates the risk, necessitating immediate mitigation to prevent potential lateral movement into corporate networks.

1. Immediate network segmentation: Isolate Linksys E5600 routers from critical internal networks to limit potential lateral movement. 2. Disable DynDNS functionality if not required, as this is the vulnerable component. 3. Monitor network traffic for unusual DNS or command injection patterns, employing IDS/IPS systems tuned to detect exploitation attempts targeting DynDNS or command injection signatures. 4. Restrict remote management access to the router, ideally disabling WAN-side administration or limiting it to trusted IP addresses. 5. Implement strict firewall rules to control inbound and outbound traffic to and from the router. 6. Regularly audit and update router firmware; although no patch is currently available, monitor Linksys advisories for updates and apply them promptly once released. 7. Encourage users to replace vulnerable devices with models confirmed to be secure if patches are delayed. 8. Employ endpoint detection on connected devices to identify signs of compromise stemming from router exploitation. 9. Educate users about the risks of using default or weak credentials and enforce strong password policies for router administration.