CVE-2025-7574 is a critical security vulnerability affecting multiple LB-LINK router models, including BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P, and BL-WR9000, specifically versions up to 20250702. The vulnerability resides in the web interface component, particularly in the /cgi-bin/lighttpd.cgi file's reboot/restore function. This flaw allows an attacker to bypass authentication mechanisms, enabling remote exploitation without any user interaction or prior authentication. The improper authentication weakness means that an attacker can remotely trigger reboot or restore operations on the affected devices, potentially disrupting network availability or resetting configurations to default states. The vulnerability has been publicly disclosed, and although no known exploits have been observed in the wild yet, the public availability of exploit details increases the risk of imminent attacks. The vendor, LB-LINK, has not responded to early notifications, and no patches or mitigations have been officially released as of the publication date. The CVSS v4.0 base score is 9.3 (critical), reflecting the vulnerability's high impact on confidentiality, integrity, and availability, ease of exploitation (no authentication or user interaction required), and the potential for widespread disruption. The vulnerability's exploitation could lead to unauthorized control over device reboot and restore functions, causing denial of service or enabling further attacks through device misconfiguration or exposure of sensitive information during resets.

For European organizations, this vulnerability poses a significant risk, especially for enterprises, ISPs, and critical infrastructure operators relying on LB-LINK routers for network connectivity. Successful exploitation can lead to denial of service by forcing device reboots or restoring factory settings, disrupting business operations and communications. This is particularly critical for organizations with remote or distributed networks where physical access to devices is limited. Additionally, unauthorized resets could expose networks to further compromise if default credentials are restored or security configurations are lost. The lack of vendor response and patch availability exacerbates the risk, leaving organizations exposed. Given the criticality and ease of exploitation, attackers could leverage this vulnerability to conduct targeted attacks, disrupt services, or establish footholds in networks. The impact extends to confidentiality, as improper resets might expose sensitive configuration data, and integrity, as unauthorized changes to device state can undermine trust in network infrastructure.

European organizations using affected LB-LINK devices should immediately implement compensating controls to mitigate risk. These include isolating vulnerable devices from untrusted networks by restricting access to the web interface via firewall rules or network segmentation. Disabling remote management features on affected routers can reduce exposure. Monitoring network traffic for unusual reboot or restore commands targeting /cgi-bin/lighttpd.cgi may help detect exploitation attempts. Organizations should also consider replacing vulnerable devices with models from vendors with active security support if patches remain unavailable. Regular backups of device configurations are essential to enable rapid recovery in case of forced resets. Additionally, organizations should engage with LB-LINK support channels to seek updates or advisories and stay informed about potential patches. Implementing intrusion detection systems tuned to detect exploitation patterns related to this vulnerability can provide early warning. Finally, educating IT staff about this vulnerability and its indicators is critical for timely response.