Cyber Resilience

CVE-2025-8978

MediumPublic PoC

Published: 14 August 2025

Published
14 August 2025
Modified
12 September 2025
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0163 82.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8978 is a medium-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Dlink Dir-619L Firmware. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

A vulnerability exists in the D-Link DIR-619L wireless router running firmware version 6.02CN02. The issue resides in the FirmwareUpgrade function within the boa web server component and stems from insufficient verification of data authenticity, tracked as CWE-345. An attacker can supply manipulated firmware data during an upgrade operation, and the flaw affects only devices that are no longer supported by the vendor.

The vulnerability can be triggered remotely, although successful exploitation requires high attack complexity and administrative privileges. An authenticated attacker who supplies crafted firmware can achieve full control over the device, resulting in high impact to confidentiality, integrity, and availability. A public proof-of-concept has been released, indicating that the exploit is known and potentially usable despite the noted difficulty.

The affected product has reached end-of-support, and no patches are expected from the maintainer. The associated EPSS score remains flat at 0.0163 with no material increase after disclosure.

EU & UK References

Vulnerability details

A vulnerability was determined in D-Link DIR-619L 6.02CN02. Affected is the function FirmwareUpgrade of the component boa. The manipulation leads to insufficient verification of data authenticity. It is possible to launch the attack remotely. The complexity of an attack is…

more

rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
T1542.001 System Firmware Stealth
Adversaries may modify system firmware to persist on systems.
Why these techniques?

The vulnerability in the FirmwareUpgrade function allows remote authenticated attackers to bypass data authenticity checks and upload tampered firmware, enabling exploitation of a public-facing web application (T1190), denial of service via bad firmware (T1499.004), and persistent arbitrary code execution by modifying system firmware (T1542.001).

CVEs Like This One

CVE-2025-55611Same product: Dlink Dir-619L
CVE-2025-55599Same product: Dlink Dir-619L
CVE-2025-55602Same product: Dlink Dir-619L
CVE-2026-2055Same product: Dlink Dir-619L
CVE-2026-2054Same product: Dlink Dir-619L
CVE-2026-2056Same product: Dlink Dir-619L
CVE-2025-12295Same vendor: Dlink
CVE-2025-13305Same vendor: Dlink
CVE-2025-70249Same vendor: Dlink
CVE-2025-50646Same vendor: Dlink

Affected Assets

dlink
dir-619l firmware
6.02cn02

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Directly requires cryptographic verification of firmware integrity and authenticity before installation, blocking the exact CWE-345 flaw in FirmwareUpgrade.

prevent

Mandates that firmware components be digitally signed and verified prior to use, preventing acceptance of unauthenticated upgrade images.

preventrespond

Requires replacement or isolation of unsupported components (explicitly noted for this end-of-life device) to eliminate exposure to unpatchable firmware-authenticity weaknesses.

References