Cyber Resilience

CVE-2025-22968

CriticalPublic PoCRCE

Published: 15 January 2025

Published
15 January 2025
Modified
21 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4206 97.5th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22968 is a critical-severity Code Injection (CWE-94) vulnerability in Dlink Dwr-M972V Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-22968 is a critical remote code execution vulnerability affecting the D-Link DWR-M972V router running firmware version 1.05SSG. The flaw, tracked under CWE-94, permits unrestricted arbitrary code execution over SSH by leveraging the root account without any authentication or access controls.

An unauthenticated remote attacker can connect directly to the device's SSH service and execute commands with full root privileges, leading to complete device compromise including configuration changes, traffic interception, or persistence mechanisms. The vulnerability carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no prerequisites.

D-Link's security bulletin page references available patches and firmware updates for affected models, while public repositories provide proof-of-concept code demonstrating the SSH-based attack path. The EPSS score stands at 0.4206 with no indicated rise from a lower baseline.

EU & UK References

Vulnerability details

An issue in D-Link DWR-M972V 1.05SSG allows a remote attacker to execute arbitrary code via SSH using root account without restrictions

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Why these techniques?

The vulnerability provides unauthenticated root access via SSH (and Telnet) on exposed WAN/LAN ports, facilitating default account abuse (T1078.001), command execution through network device CLI (T1059.008), and initial access via external remote services (T1133).

CVEs Like This One

CVE-2025-2717Same vendor: Dlink
CVE-2026-1448Same vendor: Dlink
CVE-2025-25895Same vendor: Dlink
CVE-2026-1506Same vendor: Dlink
CVE-2025-25893Same vendor: Dlink
CVE-2025-55848Same vendor: Dlink
CVE-2026-0732Same vendor: Dlink
CVE-2025-13306Same vendor: Dlink
CVE-2026-2082Same vendor: Dlink
CVE-2026-5844Same vendor: Dlink

Affected Assets

dlink
dwr-m972v firmware
1.05ssg

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely identification, reporting, and correction of flaws like CVE-2025-22968 directly prevents remote arbitrary code execution via vulnerable SSH root access.

prevent

Validating SSH inputs prevents code injection (CWE-94) that enables unauthenticated remote attackers to execute arbitrary code as root.

prevent

Prohibiting or restricting unnecessary functions such as unrestricted root SSH access on the router minimizes the attack surface for remote code execution.

References