Authenticated RCE Vulnerability (CVE‑2025‑60690) in Linksys E1200 Routers Exposes Network Infrastructure
What Happened – A stack‑buffer overflow in the web management interface of Linksys E1200 routers (firmware ≤ v2.0.04) allows an authenticated attacker to execute arbitrary commands on the device, achieving remote code execution (RCE). Public exploit code (EDB‑52548) demonstrates a reverse‑shell payload that can be triggered over HTTP.
Why It Matters for TPRM –
- Network‑edge devices are often managed by third‑party IT services; a compromise can give attackers foothold inside client LANs.
- RCE on a router enables lateral movement, credential harvesting, and data exfiltration across all downstream systems.
- The vulnerability is unaudited by most vendors and may not be covered by standard patch‑management processes.
Who Is Affected – Telecommunications, enterprise IT, managed service providers, and any organization that deploys Linksys E1200 (or similar consumer‑grade routers) in production environments.
Recommended Actions –
- Verify firmware version on all Linksys E1200 devices; upgrade to a patched release if available.
- Enforce strong, unique administrative credentials and rotate them regularly.
- Segment router management interfaces on isolated VLANs and restrict access to trusted IP ranges.
- Include the device in regular vulnerability scans and monitor outbound traffic for unexpected connections (e.g., to port 8888).
Technical Notes – The exploit abuses an authenticated POST request to /apply with a crafted payload that overflows a stack buffer, overwriting the return address and spawning a shell. CVE‑2025‑60690 is classified as a zero‑day vulnerability; no vendor‑issued patch was public as of the report date. The attack vector requires valid admin credentials, making credential theft or reuse the primary enabler. Source: https://www.exploit-db.com/exploits/52548