CVE-2025-12387

MEDIUM EPSS 46.9%
Published Jan 27, 20265mo ago · Modified Jun 17, 20262w ago
6.9 CVSS 4.0
Medium
Find Similar
Published Jan 27, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service (DoS) by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes administrator panel to not work, resulting in DoS until the language settings is reverted to a correct value. The Denial of Service affects only the administrator panel and does not affect other router functionalities. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CVSS Details

Base Score
6.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
46.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-754

References 3

  • cert.pl https://cert.pl/en/posts/2026/01/CVE-2025-12386
  • github.com https://github.com/wcyb/security_research
  • pix-link.com https://www.pix-link.com/lv-wr21q

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.