CVE-2025-12387

{"id": "CVE-2025-12387", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-27T12:15:57.243", "references": [{"url": "https://cert.pl/en/posts/2026/01/CVE-2025-12386", "source": "cvd@cert.pl"}, {"url": "https://github.com/wcyb/security_research", "source": "cvd@cert.pl"}, {"url": "https://www.pix-link.com/lv-wr21q", "source": "cvd@cert.pl"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-754"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service (DoS) by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes administrator panel to not work, resulting in DoS until the language settings is reverted to a correct value. The Denial of Service affects only the administrator panel and does not affect other router functionalities.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}, {"lang": "es", "value": "Una vulnerabilidad en el m\u00f3dulo de idioma del router Pix-Link LV-WR21Q permite a atacantes remotos activar una denegaci\u00f3n de servicio (DoS) enviando una solicitud HTTP POST especialmente dise\u00f1ada que contiene un par\u00e1metro de idioma inexistente. Esto hace que el servidor no pueda servir el archivo lang.js correcto, lo que provoca que el panel de administraci\u00f3n no funcione, resultando en DoS hasta que la configuraci\u00f3n de idioma se revierta a un valor correcto. La denegaci\u00f3n de servicio afecta solo al panel de administraci\u00f3n y no afecta a otras funcionalidades del router.\n\nEl proveedor fue notificado con antelaci\u00f3n sobre esta vulnerabilidad, pero no respondi\u00f3 con los detalles de la vulnerabilidad o el rango de versiones vulnerables. Solo la versi\u00f3n V108_108 fue probada y confirmada como vulnerable, otras versiones no fueron probadas y tambi\u00e9n podr\u00edan ser vulnerables."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cvd@cert.pl"}