CVE-2025-7836
Published: 19 July 2025
Summary
CVE-2025-7836 is a low-severity Injection (CWE-74) vulnerability in Dlink Dir-816L Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability classified as command injection has been identified in the D-Link DIR-816L router up to firmware version 2.06B01. It resides in the lxmldbc_system function within the /htdocs/cgibin file of the Environment Variable Handler component and is tracked under CWE-74 and CWE-77. The issue permits manipulation of environment variables that results in arbitrary command execution and carries a CVSS 4.0 score of 2.1 reflecting limited impact and low attack complexity.
The flaw can be triggered remotely by an authenticated attacker who supplies crafted input to the affected handler. Successful exploitation yields limited control over the device, allowing execution of injected commands without requiring user interaction. Public exploit code has already been disclosed, although the EPSS score remains flat at 0.0225 with no observed increase since publication.
The affected hardware is explicitly noted as unsupported by the vendor, and the sole reference to D-Link points to the company homepage without any accompanying patch or mitigation guidance. No evidence of in-the-wild exploitation is provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21971
Vulnerability details
A vulnerability has been found in D-Link DIR-816L up to 2.06B01 and classified as critical. Affected by this vulnerability is the function lxmldbc_system of the file /htdocs/cgibin of the component Environment Variable Handler. The manipulation leads to command injection. The…
more
attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection vulnerability in the router's web CGI script (/htdocs/cgibin/lxmldbc_system) via environment variables enables exploitation of a public-facing application (T1190), exploitation of remote services (T1210), and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the command injection in lxmldbc_system by validating/sanitizing untrusted input to the CGI Environment Variable Handler before it reaches the system call.
Explicitly requires replacement or isolation of the unsupported DIR-816L firmware that can never receive a patch for this publicly disclosed flaw.
Restricts the privileges of the web/CGI process so that even a successful command injection yields only limited impact on the device.