CVE-2025-57278

High CVSS: 8.8

The LB-Link BL-CPE300M AX300 4G LTE Router firmware version BL-R8800_B10_ALK_SL_V01.01.02P42U14_06 does not implement proper session handling. After a user authenticates from a specific IP address, the router grants access to any other client using that same IP, without requiring credentials or verifying client identity. There are no session tokens, cookies, or unique identifiers in place. This flaw allows an attacker to obtain full administrative access simply by configuring their device to use the same IP address as a previously authenticated user. This results in a complete authentication bypass.

Vendor

Lb-link

Product

Bl-cpe300m Firmware

CWE

CWE-287

Yayın Tarihi

2025-09-09 19:15:57

Güncelleme

2025-10-10 17:56:10

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-287 Bl-cpe300m Firmware HIGH Lb-link 2025

Referanslar

https://www.lb-link.com/CPE300M-AX300-4G-LTE-Router-pd502775568.html https://www.zyenra.com/blog/improper-ip-bound-session-authentication-in-lb-link-cpe300m

Benzer Kayıtlar

Medium

CVE-2026-4228

A vulnerability was detected in LB-LINK BL-WR9000 2.4.9. This affects the function sub_458754 of the file /goform/set_wi…

High

CVE-2026-4226

A weakness has been identified in LB-LINK BL-WR9000 2.4.9. The affected element is the function sub_44E8D0 of the file /…

High

CVE-2026-4227

A security vulnerability has been detected in LB-LINK BL-WR9000 2.4.9. The impacted element is the function sub_44D844 o…

High

CVE-2025-10773

A security flaw has been discovered in B-Link BL-AC2100 up to 1.0.3. Affected by this issue is the function delshrpath o…

Medium

CVE-2025-7565

A vulnerability, which was classified as critical, was found in LB-LINK BL-AC3600 up to 1.0.22. This affects the functio…

High

CVE-2025-7564

A vulnerability, which was classified as critical, has been found in LB-LINK BL-AC3600 1.0.22. Affected by this issue is…