CVE-2025-4999

Published: May 20, 2025Modified: Jun 12, 2025

5.3

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1.0.17.000000 and classified as critical. Affected by this issue is the function sub_4153FC of the file /cgi-bin/sysconf.cgi of the component HTTP POST Request Handler. The manipulation of the argument supplicant_rnd_id_en leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected (2)

Products: Linksys: Fgw3000 Ah Firmware, Fgw3000 Hk Firmware

2 products

Fgw3000 Ah Firmware

Fgw3000 Hk Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Linksys Fgw3000 Ah Firmware	Up to 1.0.17.000000

Running on/with	Platform Versions
Linksys Fgw3000 Ah	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Linksys Fgw3000 Hk Firmware	Up to 1.0.17.000000

Running on/with	Platform Versions
Linksys Fgw3000 Hk	All versions

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (5)

https://github.com/CH13hh/tmp_store_cc/blob/main/FGW3000/1.md

Source: cna@vuldb.com

Broken Link

https://vuldb.com/?ctiid.309650

Source: cna@vuldb.com

Permissions RequiredVDB Entry

https://vuldb.com/?id.309650

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/?submit.565909

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://www.linksys.com/

Source: cna@vuldb.com

Product

Timeline

No history available yet.