CVE-2025-55583
Published: 28 August 2025
Summary
CVE-2025-55583 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-868L Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely application of the D-Link firmware patch from security advisory SAP10397 to remediate the command injection flaw.
Requires validation and sanitization of the pre_api_arg parameter to block OS command injection in the fileaccess.cgi component.
Enforces authentication and access controls on the /dws/api/UploadFile endpoint to prevent unauthenticated remote exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in public web endpoint directly enables RCE via Unix shell on network device.
NVD Description
D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The endpoint /dws/api/UploadFile accepts a pre_api_arg parameter that is passed directly to system-level shell execution functions without sanitization or authentication. Remote attackers…
more
can exploit this to execute arbitrary commands as root via crafted HTTP requests.
Deeper analysisAI
CVE-2025-55583 is an unauthenticated OS command injection vulnerability (CWE-78, CWE-306, CWE-668) affecting the D-Link DIR-868L B1 router running firmware version FW2.05WWB02. The issue resides in the fileaccess.cgi component, specifically the /dws/api/UploadFile endpoint, which accepts a pre_api_arg parameter. This parameter is passed directly to system-level shell execution functions without any sanitization or authentication checks, enabling remote code execution.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity and no privileges or user interaction required. Remote attackers can send crafted HTTP requests to the vulnerable endpoint, injecting arbitrary OS commands that execute with root privileges on the router. Successful exploitation grants full control over the device, potentially allowing persistence, data exfiltration, or use as a pivot in further network attacks.
D-Link has issued security advisories addressing this issue, including publication SAP10397 available via their support announcement page and a general security bulletin on their website. Additional technical details are provided in a research post from Cybermaya. Security practitioners should consult these references for patch availability, firmware update instructions, or recommended mitigations such as restricting access to the affected endpoint.
Details
- CWE(s)