Command Injection Vulnerability in Linksys FGW3000 Series
CVE-2025-4999

5.3MEDIUM

Key Information:

Vendor

Linksys
Status
Fgw3000-ah
Fgw3000-hk
Vendor
CVE Published:
20 May 2025

What is CVE-2025-4999?

A command injection vulnerability exists in the Linksys FGW3000-AH and FGW3000-HK devices, specifically in the HTTP POST request handler at sub_4153FC of the sysconf.cgi file. This flaw arises from improper handling of the supplicant_rnd_id_en argument, which could allow an attacker to execute arbitrary commands on the affected device remotely. With public disclosure of the exploit, users of these devices may be at risk if they do not apply the necessary security measures. Immediate attention is recommended to safeguard against potential exploitation.

Affected Version(s)

FGW3000-AH 1.0.0

FGW3000-AH 1.0.1

FGW3000-AH 1.0.2

References

https://vuldb.com/?id.309650
vdb-entrytechnical-description
https://vuldb.com/?ctiid.309650
signaturepermissions-required
https://vuldb.com/?submit.565909
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

CH13hh (VulDB User)
.