CRITICAL🇵🇱 Wersja polska

CVE-2018-25115

CVSS 10.0v4.0pub. 2025-08-27upd. 2025-09-24

Multiple D-Link DIR-series routers, including DIR-110, DIR-412, DIR-600, DIR-610, DIR-615, DIR-645, and DIR-815 firmware version 1.03, contain a vulnerability in the service.cgi endpoint that allows remote attackers to execute arbitrary system commands without authentication. The flaw stems from improper input handling in the EVENT=CHECKFW parameter, which is passed directly to the system shell without sanitization. A crafted HTTP POST request can inject commands that are executed with root privileges, resulting in full device compromise. These router models are no longer supported at the time of assignment and affected version ranges may vary. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-08-21 UTC.

🤖 AI Analysis
How it works

The vulnerability is located in the service.cgi endpoint, where the EVENT=CHECKFW parameter passed in an HTTP POST request is directly passed to the system shell without any input data sanitization (CWE-78: OS Command Injection). An attacker can craft an HTTP POST request containing malicious commands injected into the value of this parameter. The injected commands are executed immediately with root privileges, leading to complete device takeover.

Impact

The attacker gains full control over the device with root privileges — can execute arbitrary system commands, modify configuration, intercept network traffic, and use the device as an entry point to the local network. The result is complete device compromise.

Mitigation & patch

D-Link manufacturer will not release patches for these devices as they are covered by End-of-Life policy. Immediate replacement of vulnerable devices with currently supported models is recommended. Until replacement, the following should be done: isolate devices from the internet (block access to the management interface from WAN), apply additional firewall rules restricting access to the service.cgi endpoint, and monitor network traffic for exploitation attempts.

Who is affected

D-Link DIR-110, DIR-412, DIR-600, DIR-610, DIR-615, DIR-645, and DIR-815 routers with firmware version 1.03. The exact range of affected versions may vary depending on the model — see references for details. All mentioned models are covered by the manufacturer's End-of-Life policy.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Dlink Dir 110

    HW
    Dlink
    wszystkie wersje
  • Dlink Dir 110 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dir 412

    HW
    Dlink
    wszystkie wersje
  • Dlink Dir 412 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dir 600

    HW
    Dlink
    wszystkie wersje
  • Dlink Dir 600 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dir 610

    HW
    Dlink
    wszystkie wersje
  • Dlink Dir 610 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dir 615

    HW
    Dlink
    wszystkie wersje
  • Dlink Dir 615 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dir 645

    HW
    Dlink
    wszystkie wersje
  • Dlink Dir 645 Firmware

    OS
    Dlink
    wszystkie wersje
  • Dlink Dir 815

    HW
    Dlink
    wszystkie wersje
  • Dlink Dir 815 Firmware

    OS
    Dlink
    1.03
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2019-16920CRITICAL9.8⚠ KEVten sam produkt

Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1...

CVE-2014-8361CRITICAL9.8⚠ KEVten sam produkt

The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInt...

CVE-2013-10069CRITICAL10.0PL ✓ten sam produkt

D-Link DIR-300/DIR-600 — nieuwierzytelniony OS command injection w command.php

CVE-2013-10048CRITICAL9.3PL ✓ten sam produkt

D-Link DIR-300/DIR-600: nieuwierzytelniony command injection z uprawnieniami root

CVE-2024-22651CRITICAL9.8PL ✓ten sam produkt

Command injection w routerze D-Link DIR-815 — podatność krytyczna (CVSS 9.8)