Cyber Resilience

CVE-2025-7836

LowPublic PoC

Published: 19 July 2025

Published
19 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0225 84.9th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7836 is a low-severity Injection (CWE-74) vulnerability in Dlink Dir-816L Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability classified as command injection has been identified in the D-Link DIR-816L router up to firmware version 2.06B01. It resides in the lxmldbc_system function within the /htdocs/cgibin file of the Environment Variable Handler component and is tracked under CWE-74 and CWE-77. The issue permits manipulation of environment variables that results in arbitrary command execution and carries a CVSS 4.0 score of 2.1 reflecting limited impact and low attack complexity.

The flaw can be triggered remotely by an authenticated attacker who supplies crafted input to the affected handler. Successful exploitation yields limited control over the device, allowing execution of injected commands without requiring user interaction. Public exploit code has already been disclosed, although the EPSS score remains flat at 0.0225 with no observed increase since publication.

The affected hardware is explicitly noted as unsupported by the vendor, and the sole reference to D-Link points to the company homepage without any accompanying patch or mitigation guidance. No evidence of in-the-wild exploitation is provided in the available references.

EU & UK References

Vulnerability details

A vulnerability has been found in D-Link DIR-816L up to 2.06B01 and classified as critical. Affected by this vulnerability is the function lxmldbc_system of the file /htdocs/cgibin of the component Environment Variable Handler. The manipulation leads to command injection. The…

more

attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Remote command injection vulnerability in the router's web CGI script (/htdocs/cgibin/lxmldbc_system) via environment variables enables exploitation of a public-facing application (T1190), exploitation of remote services (T1210), and arbitrary Unix shell command execution (T1059.004).

CVEs Like This One

CVE-2025-9727Same product: Dlink Dir-816L
CVE-2025-13191Same product: Dlink Dir-816L
CVE-2025-13188Same product: Dlink Dir-816L
CVE-2025-13189Same product: Dlink Dir-816L
CVE-2026-2194Same vendor: Dlink
CVE-2026-2218Same vendor: Dlink
CVE-2026-4203Same vendor: Dlink
CVE-2026-4207Same vendor: Dlink
CVE-2025-10628Same vendor: Dlink
CVE-2026-4210Same vendor: Dlink

Affected Assets

dlink
dir-816l firmware
≤ 2.06b01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the command injection in lxmldbc_system by validating/sanitizing untrusted input to the CGI Environment Variable Handler before it reaches the system call.

prevent

Explicitly requires replacement or isolation of the unsupported DIR-816L firmware that can never receive a patch for this publicly disclosed flaw.

prevent

Restricts the privileges of the web/CGI process so that even a successful command injection yields only limited impact on the device.

References