CVE-2025-7573 is an information disclosure vulnerability identified in multiple LB-LINK router models, including BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P, and BL-WR9000, affecting firmware versions up to 20250702. The vulnerability resides in the function bs_GetManPwd within the shared library libblinkapi.so, which is invoked by the /cgi-bin/lighttpd.cgi endpoint. This function's improper handling allows an unauthenticated remote attacker to retrieve sensitive information, potentially including administrative credentials or other confidential data stored or processed by the device. The vulnerability can be exploited remotely without requiring any authentication or user interaction, increasing the attack surface significantly. The vendor was notified but did not respond or provide a patch, and a public exploit has been disclosed, raising the risk of exploitation. The CVSS v4.0 base score is 6.9 (medium severity), reflecting the ease of remote exploitation and the confidentiality impact, while integrity and availability remain unaffected. The vulnerability does not require privileges or user interaction, making it accessible to any remote attacker scanning for vulnerable devices. The disclosed exploit could be used to gather sensitive information that may facilitate further attacks such as unauthorized access, lateral movement, or network reconnaissance.

For European organizations, this vulnerability poses a significant risk, especially for entities relying on LB-LINK routers in their network infrastructure. Information disclosure of administrative credentials or sensitive configuration data can lead to unauthorized network access, compromising confidentiality and potentially enabling attackers to manipulate network traffic or deploy further malware. Critical sectors such as government, finance, healthcare, and telecommunications could be targeted due to the strategic value of their networks. The lack of vendor response and patch availability increases exposure time, elevating the risk of exploitation. Organizations using these devices in perimeter or internal network segments may face increased risk of data breaches, espionage, or disruption of services. Additionally, the public availability of exploits lowers the barrier for attackers, including less sophisticated threat actors, to exploit this vulnerability.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, restrict remote access to the affected devices by limiting management interfaces to trusted IP addresses or internal networks only, using firewall rules or VPNs. Disable or restrict access to the /cgi-bin/lighttpd.cgi endpoint if possible, or employ web application firewalls (WAFs) to detect and block exploit attempts targeting bs_GetManPwd. Regularly monitor network traffic and device logs for suspicious requests or anomalies indicative of exploitation attempts. Consider replacing affected LB-LINK devices with alternative models or vendors that have timely security support. Network segmentation should be enforced to isolate vulnerable devices from critical assets. Additionally, organizations should conduct vulnerability scans to identify affected devices and prioritize their remediation or isolation. Finally, maintain heightened awareness and threat intelligence monitoring for any emerging exploits or vendor updates.