Cyber Resilience

CVE-2025-55583

CriticalPublic PoCRCE

Published: 28 August 2025

Published
28 August 2025
Modified
09 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0146 81.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55583 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-868L Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

D-Link DIR-868L B1 routers running firmware version FW2.05WWB02 are affected by an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The /dws/api/UploadFile endpoint accepts a pre_api_arg parameter that is passed directly to system-level shell execution functions without input sanitization or authentication checks, as indicated by the associated CWEs for OS command injection, missing authentication, and exposure of sensitive resources.

Remote attackers can exploit the flaw over the network by sending crafted HTTP requests to the endpoint, achieving arbitrary command execution with root privileges and full impact on confidentiality, integrity, and availability according to the CVSS 9.8 rating.

D-Link has issued a security publication SAP10397 along with related advisories and bulletins that address the vulnerability in the affected router firmware. The EPSS score remains low with only minimal movement between its current value of 0.0146 and recorded peak of 0.0150.

EU & UK References

Vulnerability details

D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The endpoint /dws/api/UploadFile accepts a pre_api_arg parameter that is passed directly to system-level shell execution functions without sanitization or authentication. Remote attackers…

more

can exploit this to execute arbitrary commands as root via crafted HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated command injection in public web endpoint directly enables RCE via Unix shell on network device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3485Same product: Dlink Dir-868L
CVE-2025-25894Same vendor: Dlink
CVE-2026-2260Same vendor: Dlink
CVE-2026-4465Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-8273Same vendor: Dlink
CVE-2026-2151Same vendor: Dlink
CVE-2026-8272Same vendor: Dlink
CVE-2026-2157Same vendor: Dlink
CVE-2026-2129Same vendor: Dlink

Affected Assets

dlink
dir-868l firmware
2.05b02

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely application of the D-Link firmware patch from security advisory SAP10397 to remediate the command injection flaw.

prevent

Requires validation and sanitization of the pre_api_arg parameter to block OS command injection in the fileaccess.cgi component.

prevent

Enforces authentication and access controls on the /dws/api/UploadFile endpoint to prevent unauthenticated remote exploitation.

References