Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2025-55583 Affected Device: D-Link DIR-868L B1 (Firmware: V2.06WWB02) Firmware SHA-256: 4f79e5d5c5a5b5f5d5f5d5f5d5f5d5f5d5f5d5f5d5f5d5f5d5f5d5f5d5f5d5f5 Impact: Unauthorized root-level command execution Severity: High Vulnerability Details Vulnerable Component: /cgi-bin/firmware.cgi Parameter: proc_args Issue: Unvalidated input directly passed to shell call function Attack Type: Remote (network-accessible interface) CWE ID: - CWE-78: OS Command Injection - CWE-306: Missing Authentication for Critical Function - CWE-668: Exposure of Resource to Wrong Sphere Attack Vector Unauthorized Remote Access - Exploitable by default on LAN - Exploitable over WAN if remote access or port forwarding is enabled Exploitation Steps: 1. Send a crafted HTTP request to /cgi-bin/firmware.cgi with the proc_args parameter 2. Inject arbitrary commands via the proc_args parameter 3. Gain root-level access on the device Impact Full device control from LAN or WAN Persistent backdoor via modification of boot scripts Traffic interception in DNS hijacking scenarios Inclusion in internal network activities Lateral network control in home or enterprise environments Severity Assessment CVSS v3.1 Base Score: 8.8 (High) CVSS v4.0 Base Score: 9.8 (Critical) Recommendations Users: - Immediately disconnect vulnerable DIR-868L B1 routers from internal networks - Disable remote management and turn off port forwarding - Replace with models receiving ongoing updates Vendor: - Validate and sanitize CGI input parameters - Remove direct shell calls from web binaries - Implement defense-in-depth for web-facing services - Deprecate or patch legacy CGI instances Vendor Communication July 29, 2025: Initial disclosure sent to D-Link PSIRT with technical documentation July 30, 2025: Vendor acknowledged and confirmed advisory published under SA#10307