Home

Description

A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service (DoS) by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes administrator panel to not work, resulting in DoS until the language settings is reverted to a correct value. The Denial of Service affects only the administrator panel and does not affect other router functionalities. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

PUBLISHED Reserved 2025-10-28 | Published 2026-01-27 | Updated 2026-01-27 | Assigner CERT-PL




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-754 Improper Check for Unusual or Exceptional Conditions

Product status

Default status
unknown

V108_108 (custom)
affected

Default status
unknown

V108_108 (custom)
affected

Credits

Wojciech Cybowski finder

References

cert.pl/en/posts/2026/01/CVE-2025-12386 third-party-advisory

www.pix-link.com/lv-wr21q product

github.com/wcyb/security_research exploit

cve.org (CVE-2025-12387)

nvd.nist.gov (CVE-2025-12387)

Download JSON