Cyber Resilience

CVE-2025-9026

MediumPublic PoC

Published: 15 August 2025

Published
15 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0597 90.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9026 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dir-860L Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability identified as CVE-2025-9026 affects the D-Link DIR-860L router running firmware version 2.04.B04. It resides in the ssdpcgi_main function within the htdocs/cgibin file of the Simple Service Discovery Protocol component, where improper handling of input enables OS command injection. The issue is tracked under CWE-77 and CWE-78, carries a CVSS 4.0 score of 5.5, and is exploitable over the network without authentication or user interaction. The product is no longer supported by the vendor.

Remote attackers can send specially crafted requests to the affected SSDP endpoint to execute arbitrary operating-system commands. Successful exploitation yields limited impacts on confidentiality, integrity, and availability of the device. A proof-of-concept has been publicly disclosed, and the EPSS score remains flat at 0.0135 with no material increase since disclosure.

The referenced advisories and vendor page at dlink.com provide no mitigation guidance, consistent with the device's unsupported status. No evidence of in-the-wild exploitation is supplied in the available data.

EU & UK References

Vulnerability details

A vulnerability was identified in D-Link DIR-860L 2.04.B04. This affects the function ssdpcgi_main of the file htdocs/cgibin of the component Simple Service Discovery Protocol. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The…

more

exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

The OS command injection in the SSDP CGI handler (ssdpcgi_main) enables remote exploitation of a public-facing application (T1190), indirect command execution via the vulnerable function (T1202), and arbitrary Unix shell command execution (T1059.004).

CVEs Like This One

CVE-2025-9752Same vendor: Dlink
CVE-2026-2260Same vendor: Dlink
CVE-2026-4465Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-8273Same vendor: Dlink
CVE-2026-2151Same vendor: Dlink
CVE-2026-8272Same vendor: Dlink
CVE-2026-2157Same vendor: Dlink
CVE-2026-2129Same vendor: Dlink
CVE-2026-2143Same vendor: Dlink

Affected Assets

dlink
dir-860l firmware
2.04.b04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of SSDP inputs to the ssdpcgi_main function, directly preventing OS command injection exploitation.

prevent

Mandates management and restriction of unsupported end-of-life system components like the D-Link DIR-860L firmware, eliminating exposure to unpatched vulnerabilities such as this one.

prevent

Enforces boundary protections to monitor and control network communications to the vulnerable SSDP CGI endpoint, limiting remote unauthenticated access.

References