CVE-2025-60692 is a stack-based buffer overflow vulnerability identified in the libshared.so library used by Cisco Linksys E1200 version 2 routers, specifically in firmware version E1200_v2.0.11.001_us.tar.gz. The vulnerability stems from the functions get_mac_from_ip and get_ip_from_mac, which parse entries from the /proc/net/arp file using the sscanf function with the format specifier "%100s". This specifier is overly permissive relative to the fixed buffer sizes (50 bytes for v6 and v7 sub-arrays), allowing attackers who can control the contents of /proc/net/arp to overflow the stack buffer. This overflow can cause memory corruption, potentially leading to denial of service or arbitrary code execution. The vulnerability is exploitable locally without requiring privileges or user interaction, increasing its risk profile. The CVSS v3.1 base score is 8.4, reflecting high impact on confidentiality, integrity, and availability. No patches or known exploits are currently available, highlighting the need for proactive mitigation. The vulnerability is classified under CWE-121 (stack-based buffer overflow), a common and dangerous class of memory corruption bugs. The attack surface is limited to local attackers who can manipulate /proc/net/arp, which may be feasible in multi-tenant or compromised network environments.

For European organizations, the impact of CVE-2025-60692 can be significant, especially for those relying on Cisco Linksys E1200 v2 routers in their network infrastructure. Successful exploitation can lead to complete compromise of the affected router, allowing attackers to disrupt network availability through denial of service or to execute arbitrary code, potentially pivoting to other internal systems. This threatens confidentiality by exposing network traffic or credentials, integrity by altering routing or firewall rules, and availability by causing device crashes or network outages. Critical sectors such as government, finance, healthcare, and industrial control systems that use these routers could face operational disruptions and data breaches. The local attack requirement limits remote exploitation but does not eliminate risk in environments where attackers can gain local access, such as through compromised devices or insider threats. The absence of patches increases exposure duration, necessitating immediate risk management.

1. Immediately isolate affected Cisco Linksys E1200 v2 routers from untrusted networks to limit local attacker access. 2. Restrict and monitor access to devices, ensuring only trusted administrators can interact with router consoles or management interfaces. 3. Implement network segmentation to prevent unauthorized lateral movement to routers. 4. Monitor /proc/net/arp and related system files for unauthorized modifications or suspicious entries indicative of exploitation attempts. 5. Employ host-based intrusion detection systems (HIDS) on routers if supported, to detect anomalous behavior or memory corruption signs. 6. Engage with Cisco or authorized vendors to obtain firmware updates or patches as soon as they become available. 7. Consider replacing vulnerable routers with updated hardware or firmware versions that address this vulnerability. 8. Conduct regular security audits and penetration tests focusing on local privilege escalation and buffer overflow vulnerabilities. 9. Educate network administrators about the risks of local access exploitation and enforce strict access control policies. 10. Use network-level protections such as MAC address filtering and ARP inspection to reduce the risk of ARP table manipulation.