Security Flaws in Pix-Link LV-WR21Q Routers Expose Wi-Fi Passwords
Take action: There is no patch for this one, so isolation is your primary defense. Make sure the management interface of the routers are isolated from the internet and accessible from trusted networks only. Since the vendor has not provided a patch for these flaws, plan a replacement.
Learn More
Pix-Link LV-WR21Q routers is reported to have critical security flaws that let attackers steal passwords and break the management interface.
Vulnerabilities summary:
- CVE-2025-12386 (CVSS score 9.1): Missing authentication for the /goform/getHomePageInfo endpoint. Attackers can query the /goform/getHomePageInfo path without a password to pull configuration data. This allows anyone with network access to see the cleartext password for the wireless access point, compromising the entire local network.
- CVE-2025-12387 (CVSS score 7.5): Improper check in the language module causing a denial of service. By sending a specific web request with a fake language setting, an attacker can crash the administrator panel. This prevents the owner from changing settings or managing the device until the language value is manually reset. This attack breaks the management interface but does not stop the router from passing traffic.
The flaws affect firmware version V108_108, though other versions likely remain at risk because the vendor did not respond to the report.
Since the vendor has not released a patch, users must take manual steps to protect their networks. Disable remote management and ensure the router is not reachable from the public internet. If possible, replace the device with one from a vendor that provides active security updates.
