lb-link 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには バッファオーバーフロー、vendor risk memory corruption, and パス処理の欠陥 があり、vendor surface software deployment and vendor surface production workloads の利用場面で アプリケーションクラッシュ、vendor impact memory corruption, and ファイル上書き などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-4228 | A vulnerability was detected in LB-LINK BL-WR9000 2.4.9. This affects the function sub_458754 of the file /goform/set_wifi. The manipulation results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 5.17% | 2026-03-16 | 2026-04-29 |
| CVE-2026-4227 | A security vulnerability has been detected in LB-LINK BL-WR9000 2.4.9. The impacted element is the function sub_44D844 of the file /goform/get_hidessid_cfg. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 7.4 | 0.66% | 2026-03-16 | 2026-03-20 |
| CVE-2026-4226 | A weakness has been identified in LB-LINK BL-WR9000 2.4.9. The affected element is the function sub_44E8D0 of the file /goform/get_virtual_cfg. Executing a manipulation can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 7.4 | 0.69% | 2026-03-16 | 2026-03-20 |
| CVE-2025-10773 | A security flaw has been discovered in B-Link BL-AC2100 up to 1.0.3. Affected by this issue is the function delshrpath of the file /goform/set_delshrpath_cfg of the component Web Management Interface. The manipulation of the argument Type results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 7.4 | 3.72% | 2025-09-22 | 2025-09-30 |
| CVE-2025-57278 | The LB-Link BL-CPE300M AX300 4G LTE Router firmware version BL-R8800_B10_ALK_SL_V01.01.02P42U14_06 does not implement proper session handling. After a user authenticates from a specific IP address, the router grants access to any other client using that same IP, without requiring credentials or verifying client identity. There are no session tokens, cookies, or unique identifiers in place. This flaw allows an attacker to obtain full administrative access simply by configuring their device to use | [email protected] | 8.8 | 0.41% | 2025-09-09 | 2025-10-10 |
| CVE-2025-9580 | A security vulnerability has been detected in LB-LINK BL-X26 1.2.8. This affects an unknown function of the file /goform/set_blacklist of the component HTTP Handler. Such manipulation of the argument mac leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 6.73% | 2025-08-28 | 2026-04-29 |
| CVE-2025-7565 | A vulnerability, which was classified as critical, was found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function geteasycfg of the file /cgi-bin/lighttpd.cgi of the component Web Management Interface. The manipulation of the argument Password leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.5 | 0.62% | 2025-07-14 | 2025-07-17 |
| CVE-2025-7564 | A vulnerability, which was classified as critical, has been found in LB-LINK BL-AC3600 1.0.22. Affected by this issue is some unknown functionality of the file /etc/shadow. The manipulation with the input root:blinkadmin leads to hard-coded credentials. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 7.1 | 0.21% | 2025-07-14 | 2026-04-29 |
| CVE-2025-29063 | An issue in BL-AC2100 V1.0.4 and before allows a remote attacker to execute arbitrary code via the enable parameter passed to /goform/set_hidessid_cfg is not handled properly. | [email protected] | 9.8 | 0.87% | 2025-04-02 | 2025-04-29 |
| CVE-2025-29062 | An issue in BL-AC2100 <=V1.0.4 allows a remote attacker to execute arbitrary code via the time1 and time2 parameters in the set_LimitClient_cfg of the goahead webservice. | [email protected] | 9.8 | 0.87% | 2025-04-02 | 2025-04-29 |
| CVE-2025-1610 | A vulnerability was found in LB-LINK AC1900 Router 1.0.2 and classified as critical. Affected by this issue is the function websGetVar of the file /goform/set_blacklist. The manipulation of the argument mac/enable leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.3 | 12.81% | 2025-02-24 | 2025-11-04 |
| CVE-2025-1609 | A vulnerability has been found in LB-LINK AC1900 Router 1.0.2 and classified as critical. Affected by this vulnerability is the function websGetVar of the file /goform/set_cmd. The manipulation of the argument cmd leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.3 | 9.88% | 2025-02-24 | 2025-11-04 |
| CVE-2025-1608 | A vulnerability, which was classified as critical, was found in LB-LINK AC1900 Router 1.0.2. Affected is the function websGetVar of the file /goform/set_manpwd. The manipulation of the argument routepwd leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.3 | 9.88% | 2025-02-24 | 2025-11-04 |
| CVE-2024-51431 | LB-LINK BL-WR 1300H v.1.0.4 contains hardcoded credentials stored in /etc/shadow which are easily guessable. | [email protected] | 9.8 | 0.56% | 2024-11-01 | 2024-11-05 |
| CVE-2024-33373 | An issue in the LB-LINK BL-W1210M v2.0 router allows attackers to bypass password complexity requirements and set single digit passwords for authentication. This vulnerability can allow attackers to access the router via a brute-force attack. | [email protected] | 6.3 | 0.30% | 2024-06-14 | 2025-06-06 |
| CVE-2024-33377 | LB-LINK BL-W1210M v2.0 was discovered to contain a clickjacking vulnerability via the Administrator login page. Attackers can cause victim users to perform arbitrary operations via interaction with crafted elements on the web page. | [email protected] | 8.1 | 0.44% | 2024-06-14 | 2025-05-30 |
| CVE-2024-33375 | LB-LINK BL-W1210M v2.0 was discovered to store user credentials in plaintext within the router's firmware. | [email protected] | 9.8 | 0.62% | 2024-06-14 | 2025-05-30 |
| CVE-2023-26801 | LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg. | [email protected] | 9.8 | 69.66% | 2023-03-26 | 2025-05-05 |