CVE-2021-25310

Name of the Vulnerable Software and Affected Versions: Belkin Linksys WRT160NL version 1.0.04.002 US 20130619

Description: The administration web interface on Belkin Linksys WRT160NL devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the ui language POST parameter to the "apply.cgi" form endpoint. This occurs in the do upgrade post function in mini httpd. The vulnerability only affects products that are no longer supported by the maintainer.

Recommendations: As a temporary workaround, consider disabling the do upgrade post function in mini httpd until a patch is available. Restrict access to the "apply.cgi" form endpoint to minimize the risk of exploitation. Avoid using the ui language parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.