Skip to main content

CVE-2025-5000: Command Injection in Linksys FGW3000-AH

Medium
VulnerabilityCVE-2025-5000cvecve-2025-5000
Published: Tue May 20 2025 (05/20/2025, 21:00:12 UTC)
Source: CVE
Vendor/Project: Linksys
Product: FGW3000-AH

Description

A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1.0.17.000000. It has been classified as critical. This affects the function control_panel_sw of the file /cgi-bin/sysconf.cgi of the component HTTP POST Request Handler. The manipulation of the argument filename leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI-Powered Analysis

AILast updated: 07/06/2025, 05:10:57 UTC

Technical Analysis

CVE-2025-5000 is a command injection vulnerability affecting Linksys FGW3000-AH and FGW3000-HK devices running firmware versions up to 1.0.17.000000. The flaw resides in the HTTP POST request handler component, specifically within the control_panel_sw function of the /cgi-bin/sysconf.cgi script. An attacker can manipulate the 'filename' argument in the POST request to inject arbitrary commands that the device executes on the underlying operating system. This vulnerability allows remote exploitation without requiring user interaction or authentication, making it particularly dangerous. Although the vendor was notified early, no patch or response has been provided, and the exploit details have been publicly disclosed, increasing the risk of exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the ease of remote exploitation but limited impact on confidentiality, integrity, and availability (all rated low). The vulnerability could enable attackers to execute arbitrary commands, potentially leading to device compromise, network pivoting, or disruption of services provided by the affected router models.

Potential Impact

For European organizations, this vulnerability poses a significant risk, especially for those relying on Linksys FGW3000-AH or FGW3000-HK routers in their network infrastructure. Successful exploitation could lead to unauthorized control over the device, allowing attackers to intercept or redirect network traffic, deploy malware, or establish persistent footholds within corporate networks. This could compromise sensitive data confidentiality and network integrity. Additionally, compromised routers could be used as launch points for further attacks against internal systems or as part of botnets for distributed denial-of-service (DDoS) attacks. The lack of vendor response and patch availability exacerbates the threat, increasing the window of exposure. Organizations with remote or unmanaged deployments of these devices are particularly vulnerable, as attackers can exploit the flaw remotely without authentication or user interaction.

Mitigation Recommendations

Given the absence of official patches, European organizations should take immediate steps to mitigate risk. First, identify and inventory all Linksys FGW3000-AH and FGW3000-HK devices within their networks. Where possible, isolate these devices from direct internet exposure by placing them behind additional firewalls or VPNs that restrict access to the management interface. Disable remote management features if enabled. Employ network segmentation to limit the impact of a compromised device. Monitor network traffic for unusual patterns indicative of exploitation attempts, such as unexpected POST requests to /cgi-bin/sysconf.cgi. Implement strict access controls and logging on these devices. Consider replacing vulnerable devices with models from vendors that provide timely security updates. Until a patch is released, applying web application firewall (WAF) rules to block suspicious input patterns targeting the 'filename' parameter may reduce exploitation risk. Finally, maintain heightened awareness for any emerging exploit activity targeting this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-05-20T13:01:36.722Z
Cisa Enriched
false
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682cee834d7c5ea9f4b3a1c7

Added to database: 5/20/2025, 9:05:07 PM

Last enriched: 7/6/2025, 5:10:57 AM

Last updated: 8/11/2025, 1:43:08 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats