CVE-2025-51569 – XSS in LB-Link BL-CPE300M AX300 4G LTE Router
Author: Ravindu Wickramasinghe | 31-07-2025
1. Introduction
The LB-Link BL-CPE300M router web interface is vulnerable to reflected cross-site scripting (XSS) vulnerability. A reflected cross-site scripting (XSS) vulnerability exists in the LB-Link BL-CPE300M 01.01.02P42U14_06 router’s web interface. The /goform/goform_get_cmd_process endpoint fails to sanitize user input in the cmd parameter before reflecting it into a text/html response. This allows unauthenticated attackers to inject arbitrary JavaScript, which is executed in the context of the router’s origin when the crafted URL is accessed. The issue requires user interaction to exploit.2. Analysis and Proof of Concept
- Access the router interface via a browser at http://192.168.100.1
- Navigate to the following crafted U
Payload:
- The injected payload executes immediately upon loading due to lack of input validation.
PoC Video:
3. Statement from TP-Link Company
TP-Link has acknowledged the vulnerability identified in the TP-Link A20 v3 Router, confirming its existence. However, the company has clarified that the affected model has reached its End of Life (EOL) status, in accordance with their End-of-Life Policy. After a comprehensive evaluation, TP-Link’s security and product teams concluded that the scope and severity of the vulnerability are limited, and as such, no corrective actions will be taken for this model. The company assured that it is actively assessing other models to identify potential vulnerabilities and ensure the continued security of its product4. Timeline
- 17/05/2025 – Sent the vulnerability report to LB-Link
- 25/05/2025 – Sent a follow-up email
- 17/06/2025 – Sent another follow-up email (didn’t receive any reply)
- 29/07/2025 – MITRE Team assigned CVE-2025-51569
- 31/07/2025 – Publicly disclosed the security issue details