CVE-2025-45988

Name of the Vulnerable Software and Affected Versions Blink routers BL-WR9000 version 2.4.9 Blink routers BL-AC2100 AZ3 version 1.0.4 Blink routers BL-X10 AC8 version 1.0.5 Blink routers BL-LTE300 version 1.2.3 Blink routers BL-F1200 AT1 version 1.0.0 Blink routers BL-X26 AC8 version 1.2.8 Blink routers BLAC450M AE4 version 4.0.0 Blink routers BL-X26 DA3 version 1.2.7

Description The issue concerns multiple command injection vulnerabilities. These vulnerabilities can be exploited via the cmd parameter in the bs SetCmd function.

Recommendations For BL-WR9000 version 2.4.9, consider disabling the bs SetCmd function until a patch is available. For BL-AC2100 AZ3 version 1.0.4, restrict access to the cmd parameter in the bs SetCmd function to minimize the risk of exploitation. For BL-X10 AC8 version 1.0.5, avoid using the cmd parameter in the affected API endpoint until the issue is resolved. For BL-LTE300 version 1.2.3, consider temporarily disabling the bs SetCmd function to prevent exploitation. For BL-F1200 AT1 version 1.0.0, restrict the use of the cmd parameter in the bs SetCmd function. For BL-X26 AC8 version 1.2.8, disable the bs SetCmd function as a temporary workaround. For BLAC450M AE4 version 4.0.0, avoid using the cmd parameter in the bs SetCmd function. For BL-X26 DA3 version 1.2.7, restrict access to the bs SetCmd function to minimize the risk of exploitation.