Overview
CVE-2025-13562 is a high-severity command injection vulnerability affecting D-Link DIR-852 routers with firmware version 1.00. This flaw allows remote attackers to execute arbitrary commands on the router by manipulating the service argument in a request to the /gena.cgi endpoint. Because the device is no longer supported, a patch is not expected.
This vulnerability has a public exploit available, making it a significant risk for vulnerable devices still in use. Given the end-of-life status of these devices, immediate action is required to mitigate potential exploits.
Technical Details
The vulnerability stems from insufficient input validation when processing the service argument in requests to the /gena.cgi endpoint. An attacker can inject malicious commands into this argument, which are then executed by the underlying operating system with elevated privileges. This allows for complete control of the device, potentially leading to data theft, denial of service, or further network compromise.
The specific injection point is within the processing logic of the gena.cgi script. By crafting a malicious HTTP request containing shell commands in the service parameter, an attacker can bypass security measures and execute arbitrary code.
CVSS Analysis
The vulnerability has been assigned a CVSS v3 score of 7.3, indicating a High severity rating.
- CVSS Score: 7.3
- Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
- Explanation: This score reflects the ease of exploitation (no user interaction required, low attack complexity), the remote attack vector, and the potential for high confidentiality and integrity impact, coupled with a low availability impact.
Possible Impact
Successful exploitation of CVE-2025-13562 can have severe consequences:
- Complete Device Control: Attackers can gain full control of the D-Link DIR-852 router.
- Data Theft: Sensitive information stored on or passing through the router can be stolen.
- Malware Installation: The router can be used as a launching pad for malware attacks on other devices on the network.
- Denial of Service (DoS): The router can be rendered unusable, disrupting network connectivity.
- Network Compromise: The compromised router can be used to gain access to other devices and systems on the network.
Mitigation & Patch Steps
Unfortunately, the D-Link DIR-852 is no longer supported by the manufacturer, meaning no official patch will be released. Therefore, the recommended mitigation strategies are:
- Retire the Device: The most effective solution is to replace the D-Link DIR-852 router with a newer, supported model from any vendor. Ensure the new router receives regular security updates.
- Network Segmentation: If replacing the device is not immediately feasible, isolate the D-Link DIR-852 router from the rest of your network. This can limit the damage an attacker can cause if the router is compromised. Place it on a separate VLAN or behind a firewall.
- Monitor Network Traffic: Closely monitor network traffic for any suspicious activity originating from the D-Link DIR-852 router.
