Cyber Resilience

CVE-2025-2549

MediumPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
15 July 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 63.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2549 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Dlink Dir-618 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 36.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SA-22 (Unsupported System Components).

Deeper analysis

CVE-2025-2549 is a problematic vulnerability affecting D-Link DIR-618 and DIR-605L routers on firmware versions 2.02 and 3.02. The issue involves an unknown functionality in the /goform/formSetPassword file, where manipulation results in improper access controls (CWE-266, CWE-284). Published on 2025-03-20, it carries a CVSS v3.1 base score of 4.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and impacts only products no longer supported by the maintainer.

Attackers positioned within the local network can exploit this vulnerability with low complexity, no required privileges, and no user interaction. Exploitation enables manipulation leading to improper access controls, resulting in low-impact integrity violations but no effects on confidentiality or availability.

Advisories note that the exploit has been publicly disclosed and may be used, with details available via VulDB entries (ctiid.300163, id.300163) and Notion pages specific to the DIR-605L and DIR-618. No patches are available due to end-of-support status for the affected products.

EU & UK References

Vulnerability details

A vulnerability has been found in D-Link DIR-618 and DIR-605L 2.02/3.02 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /goform/formSetPassword. The manipulation leads to improper access controls. The attack needs to be done…

more

within the local network. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The improper access control vulnerability in /goform/formSetPassword allows unauthenticated local network attackers to set the admin password via crafted HTTP POST, enabling exploitation for privilege escalation (T1068).

CVEs Like This One

CVE-2025-2548Same product: Dlink Dir-605L
CVE-2026-5984Same product: Dlink Dir-605L
CVE-2026-4194Same vendor: Dlink
CVE-2026-2055Same product: Dlink Dir-605L
CVE-2026-4193Same vendor: Dlink
CVE-2026-2054Same product: Dlink Dir-605L
CVE-2026-5983Same product: Dlink Dir-605L
CVE-2026-5981Same product: Dlink Dir-605L
CVE-2026-5980Same product: Dlink Dir-605L
CVE-2026-4180Same vendor: Dlink

Affected Assets

dlink
dir-618 firmware
2.02
dlink
dir-605l firmware
3.02

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to system resources, directly countering the improper access controls vulnerability in /goform/formSetPassword.

prevent

Prohibits or compensates for unsupported system components like the end-of-life D-Link DIR-618 and DIR-605L routers, eliminating exposure to unpatchable flaws.

prevent

Requires timely remediation of identified flaws including this access control issue via patching, mitigation, or system discontinuation.

References