CVE-2025-45987 is a set of multiple command injection vulnerabilities identified in several models of Blink routers, including BL-WR9000 V2.4.9, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5, BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0, and BL-X26_DA3 v1.2.7. The vulnerabilities arise from improper input validation in the bs_SetDNSInfo function, specifically through the dns1 and dns2 parameters. These parameters are intended to accept DNS server addresses but can be manipulated to inject arbitrary commands. Command injection vulnerabilities allow an attacker to execute arbitrary system commands on the affected device with the privileges of the vulnerable service, potentially leading to full device compromise. The lack of authentication requirements or user interaction is not explicitly stated, but given the nature of router management interfaces, exploitation may require network access to the device's management interface or exposure of these parameters via an API or web interface. No CVSS score has been assigned yet, and no known exploits are reported in the wild as of the publication date (June 13, 2025). The affected devices are commonly used consumer and small business routers, which may be deployed in home, office, and small enterprise environments. The vulnerabilities could be exploited remotely if the management interface is exposed or if an attacker gains access to the internal network. Successful exploitation could allow attackers to execute arbitrary commands, leading to device takeover, network traffic interception, or pivoting to other internal systems.

For European organizations, the exploitation of these command injection vulnerabilities could have significant consequences. Compromised routers can serve as entry points into corporate or home networks, enabling attackers to intercept sensitive communications, manipulate DNS queries to redirect users to malicious sites (DNS hijacking), or launch further attacks within the network. Small and medium-sized enterprises (SMEs) and home offices relying on these Blink router models are particularly at risk, as they may lack robust network segmentation or advanced security monitoring. The integrity and availability of network services could be disrupted if attackers modify router configurations or cause device failures. Confidentiality breaches could occur through interception or redirection of traffic. The impact is amplified in sectors with critical infrastructure or sensitive data, such as finance, healthcare, and government agencies, especially if these routers are used in branch offices or remote locations. Additionally, the absence of patches or mitigations at the time of disclosure increases the window of exposure. The threat is heightened if attackers exploit exposed management interfaces or leverage phishing or social engineering to gain access to the network segment hosting these devices.

1. Immediate network segmentation: Isolate affected Blink routers from critical network segments to limit potential lateral movement in case of compromise. 2. Restrict management interface access: Ensure that router management interfaces are not exposed to the internet or untrusted networks. Use firewall rules to restrict access to trusted IP addresses only. 3. Monitor network traffic for anomalies: Deploy network monitoring to detect unusual DNS queries or command patterns indicative of exploitation attempts. 4. Disable remote management features if not required: Turn off remote administration capabilities on affected devices to reduce attack surface. 5. Implement strong authentication and access controls: If remote management is necessary, enforce strong passwords and multi-factor authentication where supported. 6. Vendor engagement and patch management: Actively monitor Blink’s official channels for firmware updates addressing these vulnerabilities and apply patches promptly upon release. 7. Incident response preparedness: Develop and test incident response plans specific to router compromise scenarios, including device replacement or factory reset procedures. 8. Use alternative DNS configurations: Temporarily configure routers to use trusted DNS servers manually to prevent DNS hijacking until patches are available. 9. Inventory and asset management: Identify all affected Blink router models in the environment to prioritize mitigation efforts. 10. Educate users and administrators on the risks and signs of router compromise to enable early detection and reporting.