CVE-2025-9026
Published: 15 August 2025
Summary
CVE-2025-9026 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dir-860L Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OS command injection in the SSDP CGI handler (ssdpcgi_main) enables remote exploitation of a public-facing application (T1190), indirect command execution via the vulnerable function (T1202), and arbitrary Unix shell command execution (T1059.004).
NVD Description
A vulnerability was identified in D-Link DIR-860L 2.04.B04. This affects the function ssdpcgi_main of the file htdocs/cgibin of the component Simple Service Discovery Protocol. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The…
more
exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2025-9026 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the ssdpcgi_main function in the htdocs/cgibin file of the Simple Service Discovery Protocol component within D-Link DIR-860L firmware version 2.04.B04. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and ease of exploitation.
Unauthenticated remote attackers can exploit this vulnerability by manipulating SSDP-related inputs to inject arbitrary OS commands. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as executing commands on the device.
Advisories from VulDB and a GitHub issue disclose the exploit publicly, with details available at referenced URLs including vuldb.com/?ctiid.320091 and github.com/i-Corner/cve/issues/17. The vulnerability only affects products no longer supported by D-Link, so no patches or mitigations are provided by the maintainer.
This issue is notable as the public exploit disclosure increases risk for exposed, end-of-life DIR-860L devices still in use.
Details
- CWE(s)