1. Introduction

The LB-Link BL-CPE300M AX300 4G LTE Router firmware version BL-R8800_B10_ALK_SL_V01.01.02P42U14_06 does not implement proper session handling. After a user authenticates from a specific IP address, the router grants access to any other client using that same IP, without requiring credentials or verifying client identity. There are no session tokens, cookies, or unique identifiers in place. This flaw allows an attacker to obtain full administrative access simply by configuring their device to use the same IP address as a previously authenticated user. This results in a complete authentication bypass.

Affected Component - Web management interface – all authenticated endpoints (e.g., /goform/* and /api/*)
Attack Type - Local / LAN-based Remote
Vendor - LB-Link

2. Analysis and Proof of Concept

PoC Explanation

A legitimate admin logs into the router from IP 192.168.100.111. The attacker configures a system or container to use the same IP address and sends unauthenticated requests to authenticated endpoints. The router grants access without validating session state, enabling the attacker to perform all actions as the admin user, including modifying configurations, accessing logs, or rebooting the device.

4. Timeline

31/07/2025 – Sent the vulnerability report to LB-Link
08/09/2025 – MITRE Team assigned CVE-2025-57278
09/09/2025 – Publicly disclosed the security issue details

Author / Researcher

Ravindu Wickramasinghe | rvz

​1. Introduction

​2. Analysis and Proof of Concept

​PoC Explanation

​4. Timeline

​Author / Researcher

1. Introduction

2. Analysis and Proof of Concept

PoC Explanation

4. Timeline

Author / Researcher