CVE-2020-35713

CRITICAL EXPLOITED NUCLEI

Linksys RE6500 Firmware < 1.0.012.001 - Unauthenticated Remote Code Execution via goform/setSysAdm

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-35713 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Al1ex. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2020-35713, demonstrating unauthenticated remote command execution on Linksys RE6500 devices via command injection in the `goform/setSysAdm` endpoint. The exploit chains commands to extract the password, enable telnet, and reset the admin password.

Description

Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.

Exploits (1)

nomisec WORKING POC 1 stars
by Al1ex · remote
https://github.com/Al1ex/CVE-2020-35713

The repository contains a functional Python exploit for CVE-2020-35713, demonstrating unauthenticated remote command execution on Linksys RE6500 devices via command injection in the `goform/setSysAdm` endpoint. The exploit chains commands to extract the password, enable telnet, and reset the admin password.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Linksys RE6500 (FW V1.05 up to FW v1.0.11.001)
No auth needed
Prerequisites: Network access to the target device · Target device must be running vulnerable firmware
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Belkin Linksys RE6500 <1.0.012.001 - Remote Command Execution
CRITICALby gy741

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.3270
EPSS Percentile 98.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-22
CWE
CWE-78
Status published
Products (1)
linksys/re6500_firmware < 1.0.012.001
Published Dec 26, 2020
Tracked Since Feb 18, 2026