CVE-2025-5620
BaseFortify
Publication date: 2025-06-05
Last updated on: 2025-06-06
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-816_firmware | 1.10cnb05 |
| dlink | dir-816 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5620 is a critical OS command injection vulnerability in the D-Link DIR-816 router firmware version 1.10CNB05. It exists in the setipsec_config function at the /goform/setipsec_config endpoint, where the localIP and remoteIP parameters are not properly sanitized. An attacker can remotely send crafted requests manipulating these parameters to inject and execute arbitrary operating system commands without authentication. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary OS commands on the affected router without authentication, compromising the device's confidentiality, integrity, and availability. It can lead to unauthorized control over the device, potentially disrupting network operations or enabling further attacks. The exploit is easy to perform and publicly available, increasing the risk of exploitation. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring network traffic for requests to the endpoint /goform/setipsec_config with suspicious or unusual values in the localIP and remoteIP parameters that may indicate command injection attempts. Since the vulnerability involves OS command injection via these parameters, you can use tools like curl or wget to test the endpoint by sending crafted requests with payloads designed to trigger command execution. For example, a command like: curl -v --data "localIP=127.0.0.1;id&remoteIP=127.0.0.1" http://<router-ip>/goform/setipsec_config could be used to test if command injection is possible. Additionally, network intrusion detection systems (NIDS) can be configured to alert on such suspicious requests targeting this endpoint. However, no specific detection commands or signatures are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include discontinuing the use of the affected D-Link DIR-816 router with firmware version 1.10CNB05, as no known countermeasures or patches are available. It is strongly recommended to replace the affected product with a supported and updated device to avoid exploitation. Additionally, restricting remote access to the router's management interface and monitoring for suspicious activity can help reduce risk until replacement is possible. [2]