CVE-2025-9752
BaseFortify
Publication date: 2025-09-01
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-852_firmware | 1.00cn_b09 |
| dlink | dir-852 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9752 is a critical remote command injection vulnerability in the D-Link DIR-852 router firmware version 1.00CN B09. It exists in the SOAP service's soap.cgi endpoint, specifically in the soapcgi_main function. The vulnerability occurs because the 'service' parameter in the request URI is not properly validated or sanitized, allowing an attacker to inject arbitrary operating system commands. By sending a specially crafted POST request with shell metacharacters in the 'service' parameter, an unauthenticated attacker can execute arbitrary commands on the device remotely. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can severely impact you by allowing an unauthenticated remote attacker to execute arbitrary commands on your affected D-Link DIR-852 router. This compromises the device's confidentiality, integrity, and availability. An attacker could take full control of the device, potentially using it to launch further attacks, disrupt network services, or access sensitive information. Since the product is no longer supported, no official patches or mitigations exist, increasing the risk of exploitation. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the /soap.cgi endpoint containing the 'service' parameter with shell metacharacters such as the pipe symbol (|). For example, using tools like netcat or curl to send crafted requests or inspecting network traffic for such patterns can help identify exploitation attempts. A specific example from the proof-of-concept is sending a POST request to /soap.cgi?service=|telnetd -p 9999|. Network intrusion detection systems can be configured to alert on such unusual requests targeting the SOAP service's 'service' parameter. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected D-Link DIR-852 device with a supported alternative, as no vendor patches or countermeasures exist. Additionally, implementing strict input validation on the 'service' parameter by enforcing a whitelist of allowed service names can prevent exploitation. Blocking or filtering incoming requests to the /soap.cgi endpoint at the network perimeter or firewall to prevent remote access to the vulnerable SOAP service is also recommended. [2, 3]