CVE-2025-5621
BaseFortify
Publication date: 2025-06-05
Last updated on: 2025-06-06
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-816_firmware | 1.10cnb05 |
| dlink | dir-816 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5621 is a critical OS command injection vulnerability in the D-Link DIR-816 router (version 1.10CNB05). It exists in the qosClassifier function within the /goform/qosClassifier file. The vulnerability occurs because the router improperly handles the dip_address and sip_address parameters, allowing an attacker to inject malicious OS commands remotely without authentication. This happens due to insufficient sanitization of input, enabling attackers to execute arbitrary commands on the device. [1]
How can this vulnerability impact me? :
This vulnerability can severely impact the confidentiality, integrity, and availability of the affected router. Since exploitation is remote and requires no authentication, attackers can execute arbitrary commands on the device, potentially taking full control. This can lead to unauthorized access, data leakage, disruption of network services, or using the device as a foothold for further attacks. The exploit is publicly available and considered easy to use, increasing the risk of compromise. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP requests targeting the /goform/qosClassifier endpoint with manipulated dip_address or sip_address parameters that may contain OS command injection payloads. Since the exploit is remotely accessible without authentication, inspecting web traffic logs or using network intrusion detection systems (NIDS) to look for unusual or malformed requests to /goform/qosClassifier can help detect exploitation attempts. Specific commands are not provided in the resources, but using tools like curl or wget to test the endpoint with crafted parameters or employing network monitoring tools to capture such traffic is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected D-Link DIR-816 router (version 1.10CNB05) with an alternative product, as no known countermeasures or patches are available. Since the product is no longer supported, applying vendor patches is not possible. Additionally, restricting remote access to the device, disabling remote management features if possible, and monitoring network traffic for exploitation attempts can help reduce risk until replacement. [1]