CVE-2025-45984

high-risk

Published 2025-06-13

Blink routers BL-WR9000 V2.4.9, BL-AC1900 V1.0.2, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 V1.0.5, BL-LTE300 V1.2.3, BL-F1200_AT1 V1.0.0, BL-X26_AC8 V1.2.8, BLAC450M_AE4 V4.0.0 and BL-X26_DA3 V1.2.7 were discovered to contain a command injection vulnerability via the routepwd parameter in the sub_45B238 function.

Do I need to act?

11.9% chance of exploitation in next 30 days

EPSS score — higher than 88% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (9)

Bl-Wr9000 Firmware

Bl-Ac1900 Firmware

Bl-Ac2100 Az3 Firmware

Bl-X10 Ac8 Firmware

Bl-Lte300 Firmware

Bl-F1200 At1 Firmware

Bl-X26 Ac8 Firmware

Blac450M Ae4 Firmware

Bl-X26 Da3 Firmware

Affected Vendors

B-Link

References (1)

Exploit https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_routepwd%20...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 12/34 · Low

Exposure 15/34 · Moderate