CVE-2025-57685HIGH 8.8EPSS p69.5%

CVE-2025-57685CVE-2025-57685

Description

The LB-Link routers, including the BL-AC2100_AZ3 V1.0.4, BL-WR4000 v2.5.0, BL-WR9000_AE4 v2.4.9, BL-AC1900_AZ2 v1.0.2, BL-X26_AC8 v1.2.8, and BL-LTE300_DA4 V1.2.3 models, are vulnerable to unauthorized command injection. Attackers can exploit this vulnerability by accessing the /goform/set_serial_cfg interface to gain the highest level of device privileges without authorization, enabling them to remotely execute malicious commands.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.43% probability of exploitation · percentile 69.5% · 2026-06-19T12:03:05Z
Published2025-09-22
Last modified2026-04-15

Underlying weaknesses· 1

CWE-77

References

  1. http://bl-ac2100.com
  2. https://github.com/mono7s/LB-Link/blob/main/bs_SetSerial.md
  3. https://www.b-link.net.cn/

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-4228
CVE
CVE-2025-45988
CVE
CVE-2025-1609
CVE
CVE-2025-1610
CVE
CVE-2025-9580
CVE
CVE-2025-9579
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.