Affected Vendors This Week
- Cisco: 35 CVEs (1 critical, 7 high, 27 medium/other)
- Netgear: 8 CVEs (7 critical, 1 other)
- Linksys: 5 CVEs (5 critical)
- ASUS: 2 CVEs (0 router-related)
This week brings a significant spike in router vulnerabilities, with 50 new CVEs across the major vendors. The standout trend is a wave of critical command injection flaws affecting consumer and SMB routers, along with a concerning set of Cisco vulnerabilities in enterprise-grade wireless controllers.
Critical Threats Requiring Immediate Action
Linksys E5600 Command Injection Cluster: Five critical vulnerabilities have been discovered in the Linksys E5600 v1.1.0.26, all achieving a CVSS score of 9.8. These flaws allow unauthenticated remote attackers to inject arbitrary commands through multiple vectors: the DynDNS function password, username, hostname, and mailex parameters (CVE-2025-45490, CVE-2025-45491, CVE-2025-45489, CVE-2025-45488), as well as the Internet Connection function (CVE-2025-45487). If your organization uses E5600 models, firmware updates should be treated as urgent. Check the Linksys support portal immediately for patched versions.
Netgear RAX5 and EX8000 Command Injection Vulnerabilities: Netgear devices are equally impacted with seven critical command injection flaws. The RAX5 (AX1600) router running v1.0.2.26 contains command injection vulnerabilities across multiple wireless functions: apcli_do_enr_pbc_wps, apcli_wps_gen_pincode, vif_disable, vif_enable, apcli_cancel, and reset_wifi functions (CVE-2024-57231, CVE-2024-57232, CVE-2024-57233, CVE-2024-57234, CVE-2024-57235, CVE-2024-57229, CVE-2024-57230). Additionally, the Netgear EX8000 v1.0.0.126 is vulnerable to command injection via the Iface parameter in the action_wireless function (CVE-2025-45492). These vulnerabilities enable attackers to execute arbitrary system commands without authentication. Netgear customers should urgently check for firmware updates; these devices are commonly deployed in small offices and home networks, making them attractive targets.
Cisco IOS XE Critical Vulnerability: CVE-2025-20188 represents a perfect-storm vulnerability with a maximum CVSS score of 10.0. It affects the Out-of-Band Access Point (AP) Image Download, Clean Air Spectral Recording, and client debug bundles features in Cisco IOS XE Software for Wireless LAN Controllers. This unauthenticated, network-adjacent vulnerability could allow remote attackers to execute arbitrary code or cause denial of service. Organizations managing Cisco wireless LAN controllers should prioritize this patch above all others.
Broader Cisco Enterprise Threat Landscape
Beyond the critical flaw, Cisco disclosed 34 additional vulnerabilities affecting IOS, IOS XE, ASA, and Firepower software. Notable high-severity issues include:
- CVE-2025-20186: Authenticated remote code execution in the IOS XE web management interface (CVSS 8.8)
- CVE-2025-20182: IKEv2 protocol vulnerability in ASA and Firepower (CVSS 8.6)
- CVE-2025-20154: TWAMP server vulnerability allowing unauthenticated denial of service (CVSS 8.6)
- CVE-2025-20162: DHCP snooping security bypass causing full DoS in IOS XE (CVSS 8.6)
- CVE-2025-20164: Authenticated remote code execution in Industrial Ethernet Switch Device Manager (CVSS 8.3)
Cisco customers managing large deployments should prioritize these patches in their vulnerability management workflows.
Recommendations for Network Administrators
- Immediate (today): Inventory your Linksys E5600, Netgear RAX5, and Netgear EX8000 devices. Check manufacturer support pages for available patches. If running vulnerable versions, schedule emergency updates or plan device replacements.
- This week: Review your Cisco device fleet. Prioritize CVE-2025-20188 patches for wireless controllers, then work through the high-severity IOS XE and ASA vulnerabilities according to your risk assessment.
- Ongoing: Enable automatic security update notifications from your vendors. For enterprise deployments, test patches in lab environments before production rollout, but don't delay—these command injection flaws are trivial to exploit.
The concentration of critical flaws in consumer and SMB routers this week signals active threat research or potential coordinated disclosure. Network administrators managing mixed-vendor environments should treat this week as a priority patching cycle.