CVE-2025-10093
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-852_firmware | 1.00cn_b09 |
| dlink | dir-852 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10093 is an authentication bypass vulnerability in the D-Link DIR-852 router firmware up to version 1.00CN B09. It affects the function phpcgi_main in the /getcfg.php file, part of the Device Configuration Handler. The vulnerability arises because the router processes user-supplied POST parameters before appending server-generated session validation variables. Due to a parsing behavior that prioritizes the first occurrence of variables, an attacker can inject a forged AUTHORIZED_GROUP=1 parameter in the POST request, which overrides the legitimate server value (AUTHORIZED_GROUP=-1). This allows an unauthenticated remote attacker to bypass access controls and retrieve sensitive device configuration information, including administrator credentials, without authorization. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information from the affected D-Link DIR-852 router, such as device configuration details and administrator credentials. An attacker can remotely exploit this flaw without authentication, potentially gaining access to confidential device data. Since the affected products are no longer supported, no official patches are available, increasing the risk of exploitation. The impact primarily affects confidentiality, allowing attackers to gather sensitive information that could be used for further attacks or unauthorized access. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable endpoint /getcfg.php on D-Link DIR-852 devices running firmware up to 1.00CN B09. One can use network scanning or web request tools to identify devices exposing this endpoint. Additionally, a proof-of-concept curl command can be used to test if the device is vulnerable by attempting to exploit the authentication bypass: curl -d "SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1" "http://<device-ip>/getcfg.php". If sensitive device information is returned without authentication, the device is vulnerable. Also, Google hacking techniques such as searching for inurl:getcfg.php can help identify vulnerable devices exposed on the internet. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Since the affected D-Link DIR-852 devices are no longer supported and no patches are available, immediate mitigation involves implementing restrictive firewall rules to block unauthorized access to the /getcfg.php endpoint. This can include blocking external access to the device's web interface or specifically filtering requests to /getcfg.php. Additionally, network segmentation and limiting access to trusted users can reduce exposure. Avoid exposing the device to the internet and monitor for suspicious requests targeting the vulnerable endpoint. [1, 2]