CVE-2025-51569 - XSS in LB-Link BL-CPE300M AX300 4G LTE Router
Title: XSS in LB-Link BL-CPE300M AX300 4G LTE Router
Severity: Medium 5.3 (CVSS 4.0)
Researcher: Ravindu Wickramasinghe | rvz (@rvizx9)
Product: BL-CPE300M AX300 4G LTE Router
Vulnerable Versions:BL-R8800_B10_ALK_SL_V01.01.02P42U14_06c
Fixed Versions: N/A
CVE: CVE-2025-51569
1. Introduction
The LB-Link BL-CPE300M router web interface is vulnerable to reflected cross-site scripting (XSS) vulnerability. A reflected cross-site scripting (XSS) vulnerability exists in the LB-Link BL-CPE300M 01.01.02P42U14_06 router's web interface. The /goform/goform_get_cmd_process endpoint fails to sanitize user input in the cmd parameter before reflecting it into a text/html response. This allows unauthenticated attackers to inject arbitrary JavaScript, which is executed in the context of the router's origin when the crafted URL is accessed. The issue requires user interaction to exploit.
2. Analysis and Proof of Concept
1. Access the router interface via a browser at `http://192.168.100.1`
2. Navigate to the following crafted URL:
Payload:
http://192.168.100.1/goform/goform_get_cmd_process?multi_data=1&cmd=%22%3E%3Cstyle%20onload=alert(%60xss-by-rvz-(@rvizx9)%60);%3E
3. The injected payload executes immediately upon loading due to lack of input validation.
PoC Video:
3. Timeline
17/05/2025 - Sent the vulnerability report to LB-Link.
25/05/2025 - Sent a follow up email.
17/06/2025 - Sent another follow up email. (Didn't recieve any reply)
29/07/2025 - MITRE Team Assigned CVE-2025-51569
31/07/2025 - Publicly disclosed the security issue details.