CVE-2025-45987

Name of the Vulnerable Software and Affected Versions Blink BL-WR9000 version 2.4.9 Blink BL-AC2100 AZ3 version 1.0.4 Blink BL-X10 AC8 version 1.0.5 Blink BL-LTE300 version 1.2.3 Blink BL-F1200 AT1 version 1.0.0 Blink BL-X26 AC8 version 1.2.8 Blink BLAC450M AE4 version 4.0.0 Blink BL-X26 DA3 version 1.2.7

Description The issue concerns multiple command injection vulnerabilities found in various Blink router models. These vulnerabilities can be exploited through the dns1 and dns2 parameters in the bs SetDNSInfo function.

Recommendations For Blink BL-WR9000 version 2.4.9, update the firmware to a version that fixes the command injection vulnerability. For Blink BL-AC2100 AZ3 version 1.0.4, update the firmware to a version that fixes the command injection vulnerability. For Blink BL-X10 AC8 version 1.0.5, update the firmware to a version that fixes the command injection vulnerability. For Blink BL-LTE300 version 1.2.3, update the firmware to a version that fixes the command injection vulnerability. For Blink BL-F1200 AT1 version 1.0.0, update the firmware to a version that fixes the command injection vulnerability. For Blink BL-X26 AC8 version 1.2.8, update the firmware to a version that fixes the command injection vulnerability. For Blink BLAC450M AE4 version 4.0.0, update the firmware to a version that fixes the command injection vulnerability. For Blink BL-X26 DA3 version 1.2.7, update the firmware to a version that fixes the command injection vulnerability. As a temporary workaround, consider restricting access to the bs SetDNSInfo function to minimize the risk of exploitation. Avoid using the dns1 and dns2 parameters in the affected function until the issue is resolved.