CVE-2018-25115
Published: 27 August 2025
Summary
CVE-2018-25115 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-110 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 19.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of information inputs like the EVENT=CHECKFW parameter at the service.cgi endpoint to prevent unsanitized data from being passed to the system shell, directly addressing the command injection vulnerability.
SA-22 requires replacement of unsupported system components such as the end-of-life D-Link DIR-series routers with firmware version 1.03, eliminating the unpatchable command injection flaw.
SI-2 establishes processes to identify, report, and correct flaws like the OS command injection in service.cgi, including patching, configuration changes, or system replacement.
NVD Description
Multiple D-Link DIR-series routers, including DIR-110, DIR-412, DIR-600, DIR-610, DIR-615, DIR-645, and DIR-815 firmware version 1.03, contain a vulnerability in the service.cgi endpoint that allows remote attackers to execute arbitrary system commands without authentication. The flaw stems from improper input…
more
handling in the EVENT=CHECKFW parameter, which is passed directly to the system shell without sanitization. A crafted HTTP POST request can inject commands that are executed with root privileges, resulting in full device compromise. These router models are no longer supported at the time of assignment and affected version ranges may vary. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-08-21 UTC.
Deeper analysisAI
CVE-2018-25115 is an OS command injection vulnerability (CWE-78) affecting multiple D-Link DIR-series routers, including models DIR-110, DIR-412, DIR-600, DIR-610, DIR-615, DIR-645, and DIR-815 on firmware version 1.03. The flaw exists in the service.cgi endpoint, where the EVENT=CHECKFW parameter is passed directly to the system shell without proper input sanitization, enabling arbitrary command execution.
Remote attackers can exploit this vulnerability without authentication over the network by crafting an HTTP POST request to the service.cgi endpoint. Successful exploitation allows execution of arbitrary system commands with root privileges, resulting in full device compromise, such as unauthorized access, configuration changes, or use as a pivot for further attacks.
Advisories note that these router models are no longer supported by D-Link, per their End-of-Life policy, with no patches available for firmware version 1.03 and potentially varying affected version ranges. Proof-of-concept exploits are documented on GitHub and Exploit-DB, alongside details in the Vulncheck advisory.
Exploitation evidence was first observed by the Shadowserver Foundation on 2025-08-21 UTC, and the vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), underscoring its critical risk to unpatched, end-of-life devices.
Details
- CWE(s)