CVE-2025-9026
Published: 15 August 2025
Summary
CVE-2025-9026 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dir-860L Firmware. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability identified as CVE-2025-9026 affects the D-Link DIR-860L router running firmware version 2.04.B04. It resides in the ssdpcgi_main function within the htdocs/cgibin file of the Simple Service Discovery Protocol component, where improper handling of input enables OS command injection. The issue is tracked under CWE-77 and CWE-78, carries a CVSS 4.0 score of 5.5, and is exploitable over the network without authentication or user interaction. The product is no longer supported by the vendor.
Remote attackers can send specially crafted requests to the affected SSDP endpoint to execute arbitrary operating-system commands. Successful exploitation yields limited impacts on confidentiality, integrity, and availability of the device. A proof-of-concept has been publicly disclosed, and the EPSS score remains flat at 0.0135 with no material increase since disclosure.
The referenced advisories and vendor page at dlink.com provide no mitigation guidance, consistent with the device's unsupported status. No evidence of in-the-wild exploitation is supplied in the available data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25013
Vulnerability details
A vulnerability was identified in D-Link DIR-860L 2.04.B04. This affects the function ssdpcgi_main of the file htdocs/cgibin of the component Simple Service Discovery Protocol. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The…
more
exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OS command injection in the SSDP CGI handler (ssdpcgi_main) enables remote exploitation of a public-facing application (T1190), indirect command execution via the vulnerable function (T1202), and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of SSDP inputs to the ssdpcgi_main function, directly preventing OS command injection exploitation.
Mandates management and restriction of unsupported end-of-life system components like the D-Link DIR-860L firmware, eliminating exposure to unpatched vulnerabilities such as this one.
Enforces boundary protections to monitor and control network communications to the vulnerable SSDP CGI endpoint, limiting remote unauthenticated access.