Cyber Posture

CVE-2025-9727

MediumPublic PoC

Published: 31 August 2025

Published
31 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0023 45.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9727 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dir-816L Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications
addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation
addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

OS command injection in public-facing /soap.cgi endpoint directly enables remote exploitation of the network device for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A weakness has been identified in D-Link DIR-816L 206b01. Affected by this issue is the function soapcgi_main of the file /soap.cgi. This manipulation of the argument service causes os command injection. Remote exploitation of the attack is possible. The exploit…

more

has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.

Deeper analysisAI

CVE-2025-9727 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the D-Link DIR-816L router on firmware version 206b01. The flaw exists in the soapcgi_main function of the /soap.cgi file, where manipulation of the 'service' argument enables injection of operating system commands. This issue was published on 2025-08-31 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It exclusively impacts products that are no longer supported by the maintainer.

Remote attackers with low privileges can exploit this vulnerability over the network without user interaction. By crafting a malicious request to the affected /soap.cgi endpoint, they can execute arbitrary OS commands, potentially leading to limited impacts on confidentiality, integrity, and availability, such as data leakage, modification, or service disruption on the device.

Advisories from VulDB (ctiid.322016, id.322016) and a GitHub repository (scanleale/IOT_sec/blob/main/DIR-816L.pdf) document the vulnerability details and confirm a proof-of-concept exploit is publicly available. No patches or mitigations are provided, as the D-Link DIR-816L is end-of-support, leaving affected devices exposed to potential exploitation.

Details

CWE(s)
CWE-77CWE-78

Affected Products

dlink
dir-816l firmware
2.06b01

CVEs Like This One

CVE-2025-13188Same product: Dlink Dir-816L
CVE-2025-13189Same product: Dlink Dir-816L
CVE-2025-13191Same product: Dlink Dir-816L
CVE-2025-7836Same product: Dlink Dir-816L
CVE-2026-2175Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-2260Same vendor: Dlink
CVE-2026-2081Same vendor: Dlink
CVE-2026-2157Same vendor: Dlink
CVE-2026-4465Same vendor: Dlink

References