CVE-2025-60691 is a stack-based buffer overflow vulnerability identified in the httpd binary of Linksys E1200 version 2 routers, specifically in firmware version E1200_v2.0.11.001_us. The vulnerability stems from the unsafe handling of the "url" CGI parameter within the apply_cgi and block_cgi functions. These functions use sprintf to copy user-supplied input into stack-allocated buffers (v36, v29) that are single-byte in size, without performing any bounds checking. This coding flaw allows any non-empty input to overflow the buffer, corrupting adjacent stack memory. Because the httpd service processes HTTP requests, an attacker can remotely send crafted HTTP requests to trigger this overflow. Exploitation does not require authentication or user interaction, increasing the attack surface. Successful exploitation can lead to arbitrary code execution on the router, enabling attackers to take control of the device, or cause denial of service by crashing the httpd process. The vulnerability is classified under CWE-121 (stack-based buffer overflow) and has a CVSS v3.1 base score of 8.8, indicating high severity with high impact on confidentiality, integrity, and availability. No patches or firmware updates are currently linked, and no known exploits have been reported in the wild as of the publication date (November 13, 2025). The vulnerability affects a widely deployed consumer-grade router model, which is often used in small office/home office (SOHO) environments, potentially exposing many endpoints to compromise.

For European organizations, especially small and medium enterprises (SMEs) and home offices using Linksys E1200 v2 routers, this vulnerability poses a significant risk. Exploitation could allow attackers to gain persistent control over network gateways, enabling interception or manipulation of network traffic, deployment of malware, or lateral movement into internal networks. The ability to cause denial of service could disrupt business operations by cutting off internet connectivity. Confidentiality of sensitive data traversing the network could be compromised, and integrity of communications undermined. Given the lack of authentication or user interaction required, attackers can remotely exploit this vulnerability from anywhere, increasing the threat level. The absence of known exploits currently provides a window for mitigation, but the high CVSS score suggests that once exploit code is developed, attacks could be widespread. This is particularly concerning for critical infrastructure sectors and organizations handling sensitive data within Europe.

1. Immediate action should be to check for and apply any firmware updates or patches released by Linksys addressing this vulnerability. If no official patch is available, consider upgrading to a newer router model without this vulnerability. 2. Restrict access to the router’s HTTP management interface by disabling remote management or limiting access to trusted IP addresses only. 3. Deploy network-level protections such as Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) configured to detect and block suspicious HTTP requests that could trigger buffer overflows. 4. Monitor network traffic for unusual patterns or signs of exploitation attempts targeting the router’s management interface. 5. Segment the network to isolate vulnerable devices from critical systems and sensitive data. 6. Educate users about the risks of using outdated router firmware and encourage regular updates. 7. Consider replacing vulnerable devices in high-risk environments with routers from vendors with strong security track records and timely patching policies.