Cyber Resilience

CVE-2025-9727

LowPublic PoC

Published: 31 August 2025

Published
31 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 60.6th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9727 is a low-severity Command Injection (CWE-77) vulnerability in Dlink Dir-816L Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-9727 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the D-Link DIR-816L router on firmware version 206b01. The flaw exists in the soapcgi_main function of the /soap.cgi file, where manipulation of the 'service' argument enables injection of operating system commands. This issue was published on 2025-08-31 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It exclusively impacts products that are no longer supported by the maintainer.

Remote attackers with low privileges can exploit this vulnerability over the network without user interaction. By crafting a malicious request to the affected /soap.cgi endpoint, they can execute arbitrary OS commands, potentially leading to limited impacts on confidentiality, integrity, and availability, such as data leakage, modification, or service disruption on the device.

Advisories from VulDB (ctiid.322016, id.322016) and a GitHub repository (scanleale/IOT_sec/blob/main/DIR-816L.pdf) document the vulnerability details and confirm a proof-of-concept exploit is publicly available. No patches or mitigations are provided, as the D-Link DIR-816L is end-of-support, leaving affected devices exposed to potential exploitation.

EU & UK References

Vulnerability details

A weakness has been identified in D-Link DIR-816L 206b01. Affected by this issue is the function soapcgi_main of the file /soap.cgi. This manipulation of the argument service causes os command injection. Remote exploitation of the attack is possible. The exploit…

more

has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

OS command injection in public-facing /soap.cgi endpoint directly enables remote exploitation of the network device for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13191Same product: Dlink Dir-816L
CVE-2025-13188Same product: Dlink Dir-816L
CVE-2025-13189Same product: Dlink Dir-816L
CVE-2025-7836Same product: Dlink Dir-816L
CVE-2026-2260Same vendor: Dlink
CVE-2026-4465Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-8273Same vendor: Dlink
CVE-2026-2082Same vendor: Dlink
CVE-2026-5844Same vendor: Dlink

Affected Assets

dlink
dir-816l firmware
2.06b01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'service' argument in soap.cgi to block OS command injection (CWE-78).

prevent

Mandates replacement or isolation of the DIR-816L because it is explicitly end-of-support with no patches available.

prevent

Restricts network exposure of the vulnerable /soap.cgi endpoint, limiting remote unauthenticated or low-privilege injection attempts.

References