D-Link DIR-868L Router Under Siege: Unauthenticated Remote Code Execution Vulnerability (CVE-2025-63932)

Overview

CVE-2025-63932 describes a critical unauthenticated remote code execution (RCE) vulnerability affecting D-Link DIR-868L routers with firmware version A1 FW106KRb01.bin. This vulnerability allows an attacker to execute arbitrary shell commands on the router without any authentication, posing a significant security risk.

Technical Details

The vulnerability resides within the cgibin binary, specifically the HNAP (Home Network Administration Protocol) service. The service fails to properly sanitize the HTTP SOAPAction header field. An unauthenticated attacker can exploit this by crafting a malicious HTTP request with a specially crafted SOAPAction header. This crafted header allows the attacker to inject and execute arbitrary shell commands on the underlying operating system of the router.

CVSS Analysis

Currently, the CVSS score for CVE-2025-63932 is listed as N/A. Given the unauthenticated nature and the potential for remote code execution, it is highly likely that when assigned, the CVSS score will be critical (CVSS v3.x score of 9.0-10.0).

Possible Impact

The successful exploitation of this vulnerability can have severe consequences:

• Complete System Compromise: Attackers can gain full control of the router.
• Data Theft: Sensitive information stored on the router or passing through it can be compromised.
• Malware Distribution: The compromised router can be used to distribute malware to connected devices.
• Botnet Recruitment: The router can be added to a botnet and used for malicious activities like DDoS attacks.
• Network Disruption: Attackers can disrupt network services and connectivity.

Mitigation or Patch Steps

The most important step to mitigate this vulnerability is to apply the official patch released by D-Link. Follow these steps:

1. Check your Firmware Version: Verify that your D-Link DIR-868L router is running firmware version A1 FW106KRb01.bin.
2. Apply the Patch: Visit the D-Link support website (https://www.dlink.com/en/security-bulletin/) and download the latest firmware update for your router model.
3. Update the Firmware: Follow the instructions provided by D-Link to update the router’s firmware.
4. Monitor for Updates: Regularly check for new firmware updates from D-Link to stay protected against future vulnerabilities.
5. Disable Remote Access: If possible, disable remote administration access to the router unless absolutely necessary.

References

• WhereisRain’s DIR-868 Repository (GitHub) – Provides analysis and details about the vulnerability.
• WhereisRain’s DIR-868 Main Tree (GitHub) – Access to the repository’s main branch.
• D-Link Security Bulletin – Official security advisories and firmware updates from D-Link.