Command Injection Vulnerability in Linksys FGW3000-AH and FGW3000-HK
CVE-2025-5000

5.3MEDIUM

Key Information:

Vendor

Linksys
Status
Fgw3000-ah
Fgw3000-hk
Vendor
CVE Published:
20 May 2025

What is CVE-2025-5000?

A command injection vulnerability exists in Linksys FGW3000-AH and FGW3000-HK routers due to improper handling of input in the HTTP POST request for the control_panel_sw in the /cgi-bin/sysconf.cgi file. An attacker can manipulate the argument 'filename', which may allow for arbitrary command execution. This flaw allows for remote exploitation of the device without authentication, potentially compromising network security. Despite prior notification to the vendor, no response was received, raising concerns about potential risks to users.

Affected Version(s)

FGW3000-AH 1.0.0

FGW3000-AH 1.0.1

FGW3000-AH 1.0.2

References

https://vuldb.com/?id.309651
vdb-entrytechnical-description
https://vuldb.com/?ctiid.309651
signaturepermissions-required
https://vuldb.com/?submit.565992
third-party-advisory

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

CH13hh (VulDB User)
.