CVE-2025-22968
Published: 15 January 2025
Summary
CVE-2025-22968 is a critical-severity Code Injection (CWE-94) vulnerability in Dlink Dwr-M972V Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-22968 is a critical remote code execution vulnerability affecting the D-Link DWR-M972V router running firmware version 1.05SSG. The flaw, tracked under CWE-94, permits unrestricted arbitrary code execution over SSH by leveraging the root account without any authentication or access controls.
An unauthenticated remote attacker can connect directly to the device's SSH service and execute commands with full root privileges, leading to complete device compromise including configuration changes, traffic interception, or persistence mechanisms. The vulnerability carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no prerequisites.
D-Link's security bulletin page references available patches and firmware updates for affected models, while public repositories provide proof-of-concept code demonstrating the SSH-based attack path. The EPSS score stands at 0.4206 with no indicated rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3059
Vulnerability details
An issue in D-Link DWR-M972V 1.05SSG allows a remote attacker to execute arbitrary code via SSH using root account without restrictions
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability provides unauthenticated root access via SSH (and Telnet) on exposed WAN/LAN ports, facilitating default account abuse (T1078.001), command execution through network device CLI (T1059.008), and initial access via external remote services (T1133).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely identification, reporting, and correction of flaws like CVE-2025-22968 directly prevents remote arbitrary code execution via vulnerable SSH root access.
Validating SSH inputs prevents code injection (CWE-94) that enables unauthenticated remote attackers to execute arbitrary code as root.
Prohibiting or restricting unnecessary functions such as unrestricted root SSH access on the router minimizes the attack surface for remote code execution.