Affected Vendors
- Netgear: 3 CVEs (1 critical, 2 high)
- Linksys: 2 CVEs (1 critical, 1 low)
- ASUS: 2 CVEs (both unassigned severity)
- Lantronix: 1 CVE (high)
Critical Vulnerabilities Require Immediate Action
This week brought two critical vulnerabilities with CVSS scores of 9.8, both stemming from dangerous FTP server misconfigurations on consumer-grade routers.
CVE-2025-44654 affects Linksys E2500 3.0.04.002 and involves an improperly configured vsftpd service with the chroot_local_user option enabled. This setting fails to properly restrict FTP users to their home directories, potentially allowing attackers to access sensitive system files, escalate privileges, or manipulate critical router configurations. Given the E2500's widespread deployment in small office and home networks, this poses significant risk.
CVE-2025-44658 impacts Netgear RAX30 V1.0.10.94 through a PHP-FPM misconfiguration that fails to restrict file execution to .php extensions. Attackers can upload malicious files with alternative extensions (such as .phtml or .phar) and execute arbitrary code on the device. This is a particularly dangerous vector because many administrators assume modern routers have robust file upload protections.
Immediate action required: Check your router inventory for affected models and firmware versions. Linksys and Netgear should release patches urgently; check their support pages for firmware updates. If patches are unavailable, consider disabling FTP services entirely or restricting FTP access to trusted internal networks only.
High-Severity DoS and RCE Issues
Two additional high-severity vulnerabilities warrant attention. CVE-2025-44652 and CVE-2025-44650 both involve improper FTP user limits on Netgear routers (RAX30 and R7000/EAX80 respectively). When the USERLIMIT_GLOBAL option is set to 0, unlimited concurrent FTP connections are permitted, enabling denial-of-service attacks that can exhaust system resources and render the router unstable.
CVE-2025-7766 affects Lantronix Provisioning Manager and introduces XML external entity (XXE) injection vulnerabilities in configuration file parsing. Attackers can exploit XXE to achieve unauthenticated remote code execution on hosts running the Provisioning Manager. This is particularly critical for organizations managing device fleets, as the vulnerability applies to configurations supplied by networked devices.
Lower-Risk Issues and Recommendations
CVE-2025-44657 mirrors the E2500 vulnerability on the Linksys EA6350 V2.1.2 with a lower severity rating (3.9 CVSS), though the underlying risk remains the same.
Two ASUS MyASUS vulnerabilities (CVE-2025-4569 and CVE-2025-4570) involve insecure sensitive key storage, potentially allowing attackers to steal authentication tokens. While assigned CVSS scores suggest moderate risk, token theft can lead to unauthorized service access.
General recommendations: Prioritize patching critical and high-severity issues first. For organizations running Netgear, Linksys, or Lantronix infrastructure, contact vendor support channels immediately. Enable automatic firmware updates where available, and audit FTP/SFTP access policies—many modern deployments can operate entirely without FTP. Monitor your RouterCVE dashboard for patch releases from affected vendors.