CVE-2025-57278

Name of the Vulnerable Software and Affected Versions: LB-Link BL-CPE300M AX300 4G LTE Router version BL-R8800 B10 ALK SL V01.01.02P42U14 06

Description: The LB-Link BL-CPE300M AX300 4G LTE Router does not implement proper session handling. After a user authenticates from a specific IP address, the router grants access to any other client using that same IP address, without requiring credentials or verifying client identity. The absence of session tokens, cookies, or unique identifiers allows an attacker to obtain full administrative access by configuring their device to use the same IP address as a previously authenticated user, resulting in a complete authentication bypass.

Recommendations: Update to a newer firmware version that implements secure session handling. As a temporary workaround, restrict access to the router's administrative interface to a limited set of trusted IP addresses.