Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2025-12386 and CVE-2025-12387) found in LV-WR21Q firmware.
Analysis Summary
This summary consolidates the information for the two vulnerabilities reported in the Pix-Link LV-WR21Q firmware by CERT Polska.
---
# Vulnerability: Unauthenticated Information Disclosure and DoS in Pix-Link LV-WR21Q Firmware
## CVE Details
- CVE ID: CVE-2025-12386
- CVSS Score: Not specified (Assumed High due to cleartext password retrieval)
- CWE: CWE-306 (Missing Authentication for Critical Function)
- CVE ID: CVE-2025-12387
- CVSS Score: Not specified (Assumed Medium/High impact for admin panel)
- CWE: CWE-754 (Improper Check for Unusual or Exceptional Conditions)
## Affected Systems
- Products: Pix-Link LV-WR21Q Router
- Versions: V108\_108 (Confirmed vulnerable. Other versions not tested but might be affected.)
- Configurations: Standard installation.
## Vulnerability Description
**CVE-2025-12386 (Authentication Bypass/Info Disclosure):** The endpoint `/goform/getHomePageInfo` fails to enforce any form of authentication. A remote, unauthenticated attacker can access this endpoint to retrieve sensitive information, such as the access point's cleartext administrative password.
**CVE-2025-12387 (Denial of Service):** A flaw exists in the language module allowing remote attackers to induce a Denial of Service (DoS) targeting the administrator panel. This is achieved by sending a specially crafted HTTP POST request containing a parameter referencing a non-existent language setting. This prevents the system from serving the necessary `lang.js` file, effectively breaking the admin interface until the language setting is reverted. Other router functionalities remain operational.
## Exploitation
- Status: Not specified, but cleartext password exposure often implies immediate exploitability. PoCs likely exist given the direct access to sensitive data and simple DoS condition.
- Complexity: Likely Low for CVE-2025-12386 (simple HTTP call); Low/Medium for CVE-2025-12387 (crafted POST request).
- Attack Vector: **Network** (Remote)
## Impact
| CVE | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2025-12386 | High (Password disclosure) | Low | Low |
| CVE-2025-12387 | None | None | Medium (Administrator panel only) |
## Remediation
### Patches
- **Vendor Response:** The vendor (Pix-Link) was notified but had not responded with details or patch availability at the time of reporting. No specific patch version is confirmed available.
### Workarounds
- **Network Segmentation:** Restrict remote access to the router's management interface via firewall rules, allowing configuration access only from trusted internal networks.
- **For CVE-2025-12387:** Avoid using or sending requests related to unknown or non-standard language settings in HTTP traffic directed at the router management interface.
## Detection
- **Indicators of Compromise (CVE-2025-12386):** Look for unauthenticated GET requests to `/goform/getHomePageInfo` in web server/router logs.
- **Detection Methods and Tools:** Network monitoring and intrusion detection systems should flag traffic directed at management endpoints if access controls are expected but bypassed. Log analysis for unusual language parameter manipulation in POST requests.
## References
- Vendor advisories: None immediately available from Pix-Link.
- Relevant links:
- CERT Polska Report Information: hxxps://cert.pl/en/news/
- Coordinated Vulnerability Disclosure process: hxxps://cert.pl/en/cvd/