Cyber Resilience

CVE-2025-10628

LowPublic PoC

Published: 18 September 2025

Published
18 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0069 72.4th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10628 is a low-severity Injection (CWE-74) vulnerability in Dlink Dir-852 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-10628 is a command injection vulnerability (CWE-74, CWE-77) discovered in the D-Link DIR-852 router running firmware version 1.00CN B09. The flaw resides in unknown code within the file /htdocs/cgibin/hedwig.cgi, part of the Web Management Interface. Published on September 18, 2025, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), rated as medium severity.

The vulnerability can be exploited remotely by an attacker with low-privilege access (PR:L) to the Web Management Interface, requiring no user interaction. By performing manipulation on the affected endpoint, the attacker achieves command injection, potentially leading to limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L).

References including VulDB entries and a GitHub issue (i-Corner/cve#31) document the vulnerability, but note that it only affects products no longer supported by the maintainer, implying no official patches are available. The D-Link website is listed as a reference, though no specific mitigation guidance is detailed in the provided information.

An exploit for this vulnerability has been made public and could be used, increasing risk for exposed, end-of-life DIR-852 devices.

EU & UK References

Vulnerability details

A vulnerability was found in D-Link DIR-852 1.00CN B09. This vulnerability affects unknown code of the file /htdocs/cgibin/hedwig.cgi of the component Web Management Interface. Performing manipulation results in command injection. The attack is possible to be carried out remotely. The…

more

exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection vulnerability in the web management interface (hedwig.cgi) enables exploitation of a public-facing application (T1190) for remote arbitrary Unix shell command execution (T1059.004) after authentication.

CVEs Like This One

CVE-2025-10629Same product: Dlink Dir-852
CVE-2025-13562Same product: Dlink Dir-852
CVE-2025-9752Same product: Dlink Dir-852
CVE-2026-2194Same vendor: Dlink
CVE-2026-2218Same vendor: Dlink
CVE-2026-4203Same vendor: Dlink
CVE-2026-4207Same vendor: Dlink
CVE-2026-4210Same vendor: Dlink
CVE-2026-4197Same vendor: Dlink
CVE-2025-10634Same vendor: Dlink

Affected Assets

dlink
dir-852 firmware
1.00cn_b09

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all input to hedwig.cgi, blocking the command-injection payload before execution.

prevent

Limits the low-privilege web account to the minimum rights needed, reducing the scope of commands that can be injected.

prevent

Enforces boundary rules that can block or restrict remote access to the management interface on unsupported devices.

References