PT-2025-31692 · Linksys · Wrt160Nv2+1
Published
2012-12-23
·
Updated
2025-08-01
·
CVE-2013-10058
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Linksys router versions v2.0.03
Description
An authenticated OS command injection vulnerability exists in various Linksys router models (tested on WRT160Nv2). The web interface does not properly sanitize user-supplied input passed to the
ping size parameter of the /apply.cgi API endpoint during diagnostic operations. An attacker with valid credentials can inject arbitrary shell commands, enabling remote code execution.Recommendations
Update to a newer firmware version to address this issue.
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linksys Routers
Wrt160Nv2