CVE Catalog

CVE-2025-60693

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.70%

49th percentile - higher than 49% of all known CVEs

Summary

A stack-based buffer overflow exists in the get_merge_mac function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to six user-supplied CGI parameters matching <parameter>_0~5 into a fixed-size buffer (a2) without proper bounds checking, appending colon delimiters during concatenation. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication.

Risk Assessment

The risk for the organization includes the possibility of remote code execution on the router without authentication, potentially leading to compromise of network traffic confidentiality and integrity, as well as denial of service.

Recommendation

It is recommended to immediately update the Linksys E1200 v2 router firmware to the latest available version if a patch has been released. If no update is available, restrict access to the router's management interface to trusted networks only or consider replacing the device with a supported model.

Original NVD description (English source)

A stack-based buffer overflow exists in the get_merge_mac function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to six user-supplied CGI parameters matching <parameter>_0~5 into a fixed-size buffer (a2) without proper bounds checking, appending colon delimiters during concatenation. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS