{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/e1200-firmware--v2.0.04/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-60690"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["E1200 Firmware (\u003c= v2.0.04)"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","rce","hardware"],"_cs_type":"advisory","_cs_vendors":["Linksys"],"content_html":"\u003cp\u003eThe Linksys E1200 router, specifically firmware version 2.0.04 and earlier, is susceptible to an authenticated stack buffer overflow vulnerability (CVE-2025-60690). The vulnerability resides in the handling of the lan_ipaddr parameters within the apply.cgi endpoint. Exploitation requires the attacker to be authenticated and directly connected to the LAN. Successful exploitation allows an attacker to execute arbitrary code on the device, potentially leading to full system compromise. The exploit leverages a buffer overflow in the handling of the \u0026rsquo;lan_ipaddr\u0026rsquo; parameters within the apply.cgi script. This vulnerability poses a significant risk to home and small business networks using the affected Linksys E1200 router.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the LAN network where the Linksys E1200 is connected.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Linksys E1200 web interface using valid credentials (e.g., admin:admin).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request targeting the \u003ccode\u003e/apply.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eaction=Apply\u003c/code\u003e parameter and excessively long \u003ccode\u003elan_ipaddr_*\u003c/code\u003e parameters designed to overflow a stack buffer.\u003c/li\u003e\n\u003cli\u003eThe attacker injects shellcode into the overflowing buffer within the crafted \u003ccode\u003elan_ipaddr_3\u003c/code\u003e parameter. The shellcode payload constructs a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s web server (\u003ccode\u003ehttpd\u003c/code\u003e) processes the malicious POST request and attempts to write the oversized input into the stack buffer, triggering the overflow.\u003c/li\u003e\n\u003cli\u003eThe injected shellcode is executed, establishing a reverse shell connection back to the attacker\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the Linksys E1200 router, allowing for arbitrary command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control of the affected Linksys E1200 router. This can lead to a variety of malicious activities, including eavesdropping on network traffic, modifying router configurations (DNS settings, firewall rules), and using the compromised router as a pivot point for further attacks within the local network. Given the widespread use of Linksys E1200 routers in homes and small businesses, this vulnerability has the potential to impact a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available firmware updates from Linksys to patch CVE-2025-60690 when they become available.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/apply.cgi\u003c/code\u003e with abnormally long \u003ccode\u003elan_ipaddr_*\u003c/code\u003e parameters using the Sigma rule provided.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router on other network devices.\u003c/li\u003e\n\u003cli\u003eEnforce strong and unique passwords for all router accounts to prevent unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-linksys-e1200-rce/","summary":"A stack buffer overflow vulnerability in Linksys E1200 firmware version 2.0.04 and earlier allows an authenticated attacker to achieve remote code execution by sending a crafted HTTP POST request to the apply.cgi endpoint.","title":"Linksys E1200 Authenticated Stack Buffer Overflow","url":"https://feed.craftedsignal.io/briefs/2024-01-linksys-e1200-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — E1200 Firmware (\u003c= V2.0.04)","version":"https://jsonfeed.org/version/1.1"}