Attack Chain

1. The attacker gains access to the LAN network where the Linksys E1200 is connected.
2. The attacker authenticates to the Linksys E1200 web interface using valid credentials (e.g., admin:admin).
3. The attacker crafts an HTTP POST request targeting the /apply.cgi endpoint.
4. The POST request includes the action=Apply parameter and excessively long lan_ipaddr_* parameters designed to overflow a stack buffer.
5. The attacker injects shellcode into the overflowing buffer within the crafted lan_ipaddr_3 parameter. The shellcode payload constructs a reverse shell.
6. The router’s web server (httpd) processes the malicious POST request and attempts to write the oversized input into the stack buffer, triggering the overflow.
7. The injected shellcode is executed, establishing a reverse shell connection back to the attacker’s machine.
8. The attacker gains remote code execution on the Linksys E1200 router, allowing for arbitrary command execution.

Impact

Successful exploitation of this vulnerability allows an attacker to gain complete control of the affected Linksys E1200 router. This can lead to a variety of malicious activities, including eavesdropping on network traffic, modifying router configurations (DNS settings, firewall rules), and using the compromised router as a pivot point for further attacks within the local network. Given the widespread use of Linksys E1200 routers in homes and small businesses, this vulnerability has the potential to impact a large number of users.

Recommendation

• Apply available firmware updates from Linksys to patch CVE-2025-60690 when they become available.
• Monitor web server logs for suspicious POST requests to /apply.cgi with abnormally long lan_ipaddr_* parameters using the Sigma rule provided.
• Implement network segmentation to limit the impact of a compromised router on other network devices.
• Enforce strong and unique passwords for all router accounts to prevent unauthorized access.