CVE-2025-5000: Command Injection in Linksys FGW3000-AH
A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1.0.17.000000. It has been classified as critical. This affects the function control_panel_sw of the file /cgi-bin/sysconf.cgi of the component HTTP POST Request Handler. The manipulation of the argument filename leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Analysis
Technical Summary
CVE-2025-5000 is a command injection vulnerability affecting Linksys FGW3000-AH and FGW3000-HK devices running firmware versions up to 1.0.17.000000. The flaw resides in the HTTP POST request handler component, specifically within the control_panel_sw function of the /cgi-bin/sysconf.cgi script. An attacker can manipulate the 'filename' argument in the POST request to inject arbitrary commands that the device executes on the underlying operating system. This vulnerability allows remote exploitation without requiring user interaction or authentication, making it particularly dangerous. Although the vendor was notified early, no patch or response has been provided, and the exploit details have been publicly disclosed, increasing the risk of exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the ease of remote exploitation but limited impact on confidentiality, integrity, and availability (all rated low). The vulnerability could enable attackers to execute arbitrary commands, potentially leading to device compromise, network pivoting, or disruption of services provided by the affected router models.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linksys FGW3000-AH or FGW3000-HK routers in their network infrastructure. Successful exploitation could lead to unauthorized control over the device, allowing attackers to intercept or redirect network traffic, deploy malware, or establish persistent footholds within corporate networks. This could compromise sensitive data confidentiality and network integrity. Additionally, compromised routers could be used as launch points for further attacks against internal systems or as part of botnets for distributed denial-of-service (DDoS) attacks. The lack of vendor response and patch availability exacerbates the threat, increasing the window of exposure. Organizations with remote or unmanaged deployments of these devices are particularly vulnerable, as attackers can exploit the flaw remotely without authentication or user interaction.
Mitigation Recommendations
Given the absence of official patches, European organizations should take immediate steps to mitigate risk. First, identify and inventory all Linksys FGW3000-AH and FGW3000-HK devices within their networks. Where possible, isolate these devices from direct internet exposure by placing them behind additional firewalls or VPNs that restrict access to the management interface. Disable remote management features if enabled. Employ network segmentation to limit the impact of a compromised device. Monitor network traffic for unusual patterns indicative of exploitation attempts, such as unexpected POST requests to /cgi-bin/sysconf.cgi. Implement strict access controls and logging on these devices. Consider replacing vulnerable devices with models from vendors that provide timely security updates. Until a patch is released, applying web application firewall (WAF) rules to block suspicious input patterns targeting the 'filename' parameter may reduce exploitation risk. Finally, maintain heightened awareness for any emerging exploit activity targeting this vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Austria
CVE-2025-5000: Command Injection in Linksys FGW3000-AH
Description
A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1.0.17.000000. It has been classified as critical. This affects the function control_panel_sw of the file /cgi-bin/sysconf.cgi of the component HTTP POST Request Handler. The manipulation of the argument filename leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI-Powered Analysis
Technical Analysis
CVE-2025-5000 is a command injection vulnerability affecting Linksys FGW3000-AH and FGW3000-HK devices running firmware versions up to 1.0.17.000000. The flaw resides in the HTTP POST request handler component, specifically within the control_panel_sw function of the /cgi-bin/sysconf.cgi script. An attacker can manipulate the 'filename' argument in the POST request to inject arbitrary commands that the device executes on the underlying operating system. This vulnerability allows remote exploitation without requiring user interaction or authentication, making it particularly dangerous. Although the vendor was notified early, no patch or response has been provided, and the exploit details have been publicly disclosed, increasing the risk of exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the ease of remote exploitation but limited impact on confidentiality, integrity, and availability (all rated low). The vulnerability could enable attackers to execute arbitrary commands, potentially leading to device compromise, network pivoting, or disruption of services provided by the affected router models.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linksys FGW3000-AH or FGW3000-HK routers in their network infrastructure. Successful exploitation could lead to unauthorized control over the device, allowing attackers to intercept or redirect network traffic, deploy malware, or establish persistent footholds within corporate networks. This could compromise sensitive data confidentiality and network integrity. Additionally, compromised routers could be used as launch points for further attacks against internal systems or as part of botnets for distributed denial-of-service (DDoS) attacks. The lack of vendor response and patch availability exacerbates the threat, increasing the window of exposure. Organizations with remote or unmanaged deployments of these devices are particularly vulnerable, as attackers can exploit the flaw remotely without authentication or user interaction.
Mitigation Recommendations
Given the absence of official patches, European organizations should take immediate steps to mitigate risk. First, identify and inventory all Linksys FGW3000-AH and FGW3000-HK devices within their networks. Where possible, isolate these devices from direct internet exposure by placing them behind additional firewalls or VPNs that restrict access to the management interface. Disable remote management features if enabled. Employ network segmentation to limit the impact of a compromised device. Monitor network traffic for unusual patterns indicative of exploitation attempts, such as unexpected POST requests to /cgi-bin/sysconf.cgi. Implement strict access controls and logging on these devices. Consider replacing vulnerable devices with models from vendors that provide timely security updates. Until a patch is released, applying web application firewall (WAF) rules to block suspicious input patterns targeting the 'filename' parameter may reduce exploitation risk. Finally, maintain heightened awareness for any emerging exploit activity targeting this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-05-20T13:01:36.722Z
- Cisa Enriched
- false
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682cee834d7c5ea9f4b3a1c7
Added to database: 5/20/2025, 9:05:07 PM
Last enriched: 7/6/2025, 5:10:57 AM
Last updated: 8/11/2025, 1:43:08 AM
Views: 12
Related Threats
CVE-2025-8834: Cross Site Scripting in JCG Link-net LW-N915R
MediumCVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.