CVE-2025-60690 is a stack-based buffer overflow vulnerability identified in the get_merge_ipaddr function within the httpd binary of Linksys E1200 v2 routers, specifically in firmware version E1200_v2.0.11.001_us. The vulnerability stems from the function's handling of up to four CGI parameters named with suffixes _0 through _3, which are concatenated into a fixed-size buffer (referred to as a2) without performing bounds checking. This lack of validation allows an attacker to supply specially crafted HTTP requests containing oversized parameter values that overflow the buffer on the stack. Exploiting this overflow can lead to arbitrary code execution or denial of service (DoS) conditions remotely, without requiring any authentication or user interaction. The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow). The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with attack vector being adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and unchanged scope (S:U). Although no public exploits or patches are currently available, the vulnerability poses a significant risk to affected devices. The httpd binary is a critical component responsible for handling HTTP requests on the router, making this vulnerability particularly dangerous as it can be triggered remotely via crafted HTTP requests. The firmware version affected is specific, but the lack of patch availability increases the urgency for mitigation.

The impact of CVE-2025-60690 is substantial for organizations using Linksys E1200 v2 routers with the specified vulnerable firmware. Successful exploitation enables remote attackers to execute arbitrary code, potentially gaining full control over the router. This can lead to interception or manipulation of network traffic, unauthorized access to internal networks, and pivoting to other connected devices. Additionally, attackers can cause denial of service, disrupting network availability. Since the vulnerability requires no authentication or user interaction, it can be exploited by any attacker with network access to the router's HTTP interface, increasing the attack surface. Organizations relying on these routers for critical network infrastructure or home office connectivity face risks of data breaches, network compromise, and operational disruption. The absence of patches and known exploits in the wild suggests a window of opportunity for attackers to develop and deploy exploits, emphasizing the need for proactive defense measures.

1. Immediate mitigation should include restricting access to the router's HTTP management interface to trusted networks only, ideally via firewall rules or network segmentation, to reduce exposure to potential attackers. 2. Disable remote management features on the affected routers if enabled, preventing external HTTP requests from reaching the vulnerable service. 3. Monitor network traffic for unusual HTTP requests targeting CGI parameters with suspicious patterns or lengths that could indicate exploitation attempts. 4. Employ intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect and block exploit attempts targeting this vulnerability. 5. Regularly check for firmware updates or security advisories from Linksys and apply patches promptly once available. 6. Consider replacing affected devices with newer models that have updated firmware and improved security posture if patching is not feasible. 7. Educate network administrators about this vulnerability and encourage proactive network hygiene and monitoring practices. 8. Implement network-level access controls and VPNs to limit management interface exposure. 9. Conduct vulnerability scanning to identify devices running the vulnerable firmware version within the organization’s network.