CVE-2014-125122

MEDIUM

Linksys WRT120N 1.0.07 - Unauthenticated Stack-based Buffer Overflow via TM_Block_URL Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-125122. PoCs published by Craig Heffner, including Metasploit module auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.

AI-analyzed exploit summary This exploit targets a stack overflow in WRT120N v1.0.0.7 via a crafted POST request to tmUnblock.cgi, using ROP to overwrite the admin password in memory. The payload is designed to clear the admin password by manipulating memory addresses.

Description

A stack-based buffer overflow vulnerability exists in the tmUnblock.cgi endpoint of the Linksys WRT120N wireless router. The vulnerability is triggered by sending a specially crafted HTTP POST request with an overly long TM_Block_URL parameter to the endpoint. By exploiting this flaw, an unauthenticated remote attacker can overwrite memory in a controlled manner, enabling them to temporarily reset the administrator password of the device to a blank value. This grants unauthorized access to the router’s web management interface without requiring valid credentials.

Exploits (2)

exploitdb WORKING POC

by Craig Heffner · pythonremotehardware

https://www.exploit-db.com/exploits/31758

View Code ZIP pw:eip

This exploit targets a stack overflow in WRT120N v1.0.0.7 via a crafted POST request to tmUnblock.cgi, using ROP to overwrite the admin password in memory. The payload is designed to clear the admin password by manipulating memory addresses.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Linksys WRT120N v1.0.0.7

No auth needed

Prerequisites: Network access to the target device · tmUnblock.cgi endpoint must be accessible

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by Craig Heffner · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb

View Code ZIP pw:eip

This Metasploit module exploits a stack-based buffer overflow in Linksys WRT120N routers to reset the admin password to an empty value. It uses a crafted POST request to tmUnblock.cgi with a malicious payload to overwrite the admin password in memory.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Linksys WRT120N firmware 1.0.07

No auth needed

Prerequisites: Network access to the router's web interface · tmUnblock.cgi endpoint accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/linksys-wrt120n-stack-based-buffer-overflow-admin-password-reset

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/31758

Various Sources technical-description exploit

https://web.archive.org/web/20210424073058/http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/

Scores

CVSS v4 5.3

EPSS 0.5172

EPSS Percentile 98.0%

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-121

Status published

Products (1)

Linksys/WRT120N 1.0.07

Published Jul 31, 2025

Tracked Since Feb 18, 2026