PT-2026-4912 · Pix Link · Pix-Link Lv-Wr21Q

Wojciech Cybowski

Published

2026-01-27

Updated

2026-01-31

CVE-2025-12386

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Pix-Link LV-WR21Q version V108 108 Pix-Link LV-WR21Q (affected versions not specified)

Description The Pix-Link LV-WR21Q device does not require authentication for the /goform/getHomePageInfo API endpoint. This allows a remote, unauthenticated attacker to access the endpoint and potentially retrieve the cleartext password for the access point. The vendor was notified of this issue but did not provide details regarding vulnerable version ranges.

Recommendations Apply a patch or update to a newer version that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

BDU:2026-02479

CVE-2025-12386

Affected Products

Pix-Link Lv-Wr21Q

PT-2026-4912 · Pix Link · Pix-Link Lv-Wr21Q

CVE-2025-12386

Weakness Enumeration

Related Identifiers

Affected Products

References · 9