CVE-2025-7564 is a critical vulnerability identified in the LB-LINK BL-AC3600 wireless router, specifically version 1.0.22. The flaw involves hard-coded credentials embedded within the device's /etc/shadow file, which is responsible for storing hashed user passwords on Unix-like systems. The vulnerability manifests when the input 'root:blinkadmin' is manipulated, effectively granting unauthorized access via these hard-coded credentials. Exploitation requires local access to the device, meaning an attacker must already have some form of physical or network-level access to the router's administrative interface or underlying system. The vulnerability does not require user interaction and can be exploited with low attack complexity. The CVSS 4.0 score is 8.5 (high severity), reflecting the significant impact on confidentiality, integrity, and availability, as the attacker can gain root-level privileges. The vendor LB-LINK has not responded to disclosure attempts, and no patches or mitigations have been publicly released. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of active exploitation. This vulnerability poses a serious threat to network security, as an attacker with local access can fully compromise the device, potentially pivoting to internal networks or intercepting sensitive data.

For European organizations, this vulnerability presents a substantial risk, especially for enterprises and service providers relying on LB-LINK BL-AC3600 routers in their network infrastructure. Successful exploitation could lead to complete device takeover, enabling attackers to intercept, modify, or disrupt network traffic, degrade service availability, and potentially launch further attacks within the internal network. Confidentiality breaches could expose sensitive corporate or customer data. Integrity of network configurations and data could be compromised, and availability could be impacted by malicious changes or denial-of-service conditions. Given the local access requirement, the threat is higher in environments where physical security is lax or where internal threat actors or compromised insiders exist. The lack of vendor response and patches exacerbates the risk, as organizations cannot remediate through official updates, increasing reliance on compensating controls. This vulnerability could also impact managed service providers and ISPs using these devices, potentially affecting multiple downstream customers.

Organizations should immediately inventory their network devices to identify any LB-LINK BL-AC3600 routers running version 1.0.22. Given the absence of an official patch, mitigation should focus on reducing local access to these devices. This includes enforcing strict physical security controls to prevent unauthorized personnel from accessing the hardware. Network segmentation should be applied to isolate management interfaces from general user networks, limiting exposure. Change default credentials and disable any unnecessary local access methods such as SSH or Telnet if possible. Monitor network traffic and device logs for unusual activity indicative of exploitation attempts. Where feasible, replace affected devices with alternative models or vendors that do not have this vulnerability. Additionally, implement strict access control policies and consider deploying network intrusion detection systems to detect lateral movement or unusual administrative actions. Regularly review and update incident response plans to address potential exploitation scenarios involving device compromise.