Cyber Posture

CVE-2025-8956

MediumPublic PoC

Published: 14 August 2025

Published
14 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0058 69.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8956 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dir-818L Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation
addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

SI-4 System Monitoring
addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
attack.mitre.org →
Why these techniques?

Command injection in public-facing ssdpcgi CGI (T1190) enables remote arbitrary Unix shell command execution (T1059.004, T1202 via getenv and system call).

NVD Description

A vulnerability was found in D-Link DIR‑818L up to 1.05B01. This issue affects the function getenv of the file /htdocs/cgibin of the component ssdpcgi. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been…

more

disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-8956 is a command injection vulnerability in D-Link DIR-818L routers up to version 1.05B01. The flaw affects the getenv function in the /htdocs/cgibin file of the ssdpcgi component, where manipulation enables arbitrary command execution. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an attacker who has low privileges, such as an authenticated user with minimal access. Exploitation requires network access and low complexity but no user interaction, allowing the attacker to achieve limited impacts on confidentiality, integrity, and availability through injected commands.

Advisories are documented on VulDB (ctiid.319925, id.319925, submit.627835), with a GitHub repository detailing the remote arbitrary command execution exploit in the ssdpcgi component. The D-Link website is referenced for further information, though specific patch or mitigation guidance is not detailed in the available descriptions.

The exploit has been publicly disclosed and may be used by attackers.

Details

CWE(s)
CWE-74CWE-77

Affected Products

dlink
dir-818l firmware
105b01

CVEs Like This One

CVE-2025-10689Same vendor: Dlink
CVE-2025-14225Same vendor: Dlink
CVE-2025-7932Same vendor: Dlink
CVE-2026-4197Same vendor: Dlink
CVE-2025-10628Same vendor: Dlink
CVE-2026-4196Same vendor: Dlink
CVE-2026-4206Same vendor: Dlink
CVE-2026-2085Same vendor: Dlink
CVE-2025-1800Same vendor: Dlink
CVE-2026-1625Same vendor: Dlink

References