Five critical vulnerabilitiesβeach scoring a CVSS of 9.8βhave been disclosed in multiple models of Blink routers BL, exposing users to unauthorized command injection attacks through unauthenticated HTTP requests. The flaws, tracked as CVE-2025-45984 through CVE-2025-45988, affect a wide range of firmware versions used in both consumer and enterprise-grade networking equipment.
These vulnerabilities reside in the /bin/goahead web server component and related shared libraries, allowing attackers to execute arbitrary system commands with root privileges, effectively taking full control of the affected devices.
CVE-2025-45984: Route to Root via Password Manipulation β This vulnerability stems from the sub_45B238 function, where improper filtering of the routepwd parameter leads to unsanitized input being passed to sprintf, and ultimately executed through the bl_do_system function. A crafted POST request to /goform/set_manpwd allows attackers to chain shell commands and create system-level artifacts, such as folders.
CVE-2025-45985: SSID Stealth Exploit β The sub_44D9F4 function is vulnerable via the enable parameter, which when manipulated, injects commands into the bs_SetSSIDHide function from libshare-0.0.26.so. By abusing the /goform/set_hidessid_cfg endpoint, attackers can execute arbitrary shell commands.
CVE-2025-45986: MAC Filtering Turned Malware Gateway β The sub_45BD1C function and bs_SetMacBlack in the shared library suffer from the same oversight. Malicious actors can exploit the mac parameter to insert command sequences through /goform/set_blacklist.
CVE-2025-45987: DNS Fields Used as Command Proxies β This vulnerability affects the DNS configuration function sub_44E628. Through manipulation of dns1 and dns2 values passed to bs_SetDNSInfo, attackers can execute system commands by targeting /goform/set_AdvDns_cfg.
CVE-2025-45988: Command Execution via General Purpose Interface β The final vulnerability resides in the sub_44D18C function, which invokes bs_SetCmdβa general-purpose command execution handler. The attacker-supplied cmd value is directly passed to popen, allowing arbitrary shell execution.
Impact and severity ->
Unauthenticated Access: All vulnerabilities require no prior login or session token.Zero-Click Potential: With remote access, attackers can silently plant malware, launch persistent threats, or alter network configurations.Shared Affected Codebase: Each flaw targets the same goahead binary and associated shared object, amplifying the impact across models and firmware versions.Affected products include BL-WR9000, BL-AC1900, BL-AC2100_AZ3, BL-X10_AC8, BL-X26_AC8, BL-LTE300, BL-F1200_AT1, BLAC450M_AE4, and BL-X26_DA3, across firmware versions dating back to 2023.
Mitigation steps ->
Immediate Firmware Updates: All affected users should patch to the latest firmware version as soon it is available.Restrict Admin Panel Access: Ensure that the routerβs administrative interface is only accessible from the local network or through secure VPN connections.Enable Input Filtering: Network administrators should implement web application firewalls (WAF) and traffic inspection tools to detect malicious payloads targeting router endpoints.Monitor for Anomalies: Look for suspicious directories (e.g., hacker, sub_44D9F4) as signs of compromise.