CVE-2025-22968
Published: 15 January 2025
Summary
CVE-2025-22968 is a critical-severity Code Injection (CWE-94) vulnerability in Dlink Dwr-M972V Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely identification, reporting, and correction of flaws like CVE-2025-22968 directly prevents remote arbitrary code execution via vulnerable SSH root access.
Validating SSH inputs prevents code injection (CWE-94) that enables unauthenticated remote attackers to execute arbitrary code as root.
Prohibiting or restricting unnecessary functions such as unrestricted root SSH access on the router minimizes the attack surface for remote code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability provides unauthenticated root access via SSH (and Telnet) on exposed WAN/LAN ports, facilitating default account abuse (T1078.001), command execution through network device CLI (T1059.008), and initial access via external remote services (T1133).
NVD Description
An issue in D-Link DWR-M972V 1.05SSG allows a remote attacker to execute arbitrary code via SSH using root account without restrictions
Deeper analysisAI
CVE-2025-22968 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2025-01-15, affecting the D-Link DWR-M972V router on firmware version 1.05SSG. Classified under CWE-94 (code injection), the issue enables a remote attacker to execute arbitrary code via SSH by leveraging the root account without any restrictions.
Any unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation provides root-level arbitrary code execution on the device, resulting in high-impact compromise of confidentiality, integrity, and availability.
Advisories and further details, including potential patches or mitigations, are referenced on D-Link's security bulletin page at https://www.dlink.com/en/security-bulletin/, along with GitHub repositories https://github.com/CRUNZEX/CVE-2025-22968 and https://github.com/CRUNZEX/CVE-DLINK-LTE containing exploit-related information.
Details
- CWE(s)