CVE-2025-60689: An unauthenticated command injection vulnerability exists in the Start_EPI function of the httpd binary on...
An unauthenticated command injection vulnerability exists in the Start_EPI function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The vulnerability occurs because user-supplied CGI parameters (wl_ant, wl_ssid, wl_rate, ttcp_num, ttcp_ip, ttcp_size) are concatenated into system command strings without proper sanitization and executed via wl_exec_cmd. Successful exploitation allows remote attackers to execute arbitrary commands on the device without authentication.
Security readout for executives and security teams
Plain-English summary
CVE-2025-60689 lets an unauthenticated attacker run commands on certain Linksys E1200 v2 routers by abusing unsafe handling of web interface parameters. The CVE rates it medium because access is adjacent-network, not internet-wide by default. Business urgency is tied to whether these legacy routers exist and are reachable from untrusted networks.
Executive priority
Prioritize inventory and exposure reduction over emergency response unless these routers are present on untrusted networks. The risk is meaningful for legacy network edge devices, but current sources do not support active exploitation or broad internet exposure.
Technical view
The issue is command injection in the Start_EPI function of the httpd binary. Several CGI parameters are reportedly concatenated into system command strings without proper sanitization and executed through wl_exec_cmd. The stated target is Linksys E1200 v2 firmware E1200_v2.0.11.001_us.tar.gz. CVSS 3.1 is 5.4, AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.
Likely exposure
Exposure appears limited to Linksys E1200 v2 routers running the named firmware. The CVE affected-product fields are incomplete, listing n/a, so teams should verify inventory manually instead of relying only on scanner CPE matching.
Exploitation context
The source bundle supports unauthenticated remote command execution from an adjacent network. It does not show CISA KEV listing or cited evidence of active exploitation. Public technical details exist in a GitHub writeup, but this assessment does not reproduce exploit steps.
Researcher notes
Key uncertainty is product metadata quality: the narrative names Linksys E1200 v2 firmware, while structured affected fields are n/a. Validate against device firmware and vendor guidance. Avoid assuming other Linksys models are affected without separate evidence.
Mitigation direction
Identify any Linksys E1200 v2 routers in production or remote offices.
Check Linksys guidance for firmware updates, advisories, or retirement direction.
Remove management interfaces from untrusted or guest networks.
Replace affected routers if no supported fixed firmware is available.
Restrict administration to trusted network segments only.
Validation and detection
Confirm router model and hardware revision are Linksys E1200 v2.
Confirm whether firmware matches E1200_v2.0.11.001_us.tar.gz or equivalent version.
Review whether router web administration is reachable from untrusted networks.
Check vulnerability scanner results manually because affected CPE data is incomplete.
Monitor device configuration changes and unexpected administrative activity.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-77: Command execution behavior lookup
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
3Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-77 · source CWE mapping
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Improper Neutralization of Special Elements used in a Command ('Command Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.