CVE-2025-55583

CRITICAL EPSS 92.2%

Published Aug 28, 202510mo ago · Modified Jun 17, 20261w ago

9.8 CVSS 3.1

Critical

Published Aug 28, 2025 10mo ago

Last Modified Jun 17, 2026 1w ago

Description

D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The endpoint /dws/api/UploadFile accepts a pre_api_arg parameter that is passed directly to system-level shell execution functions without sanitization or authentication. Remote attackers can exploit this to execute arbitrary commands as root via crafted HTTP requests.

CVSS Details

Base Score

9.8

Exploitability

3.9

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

92.2% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 3

CWE-306 Missing Authentication for Critical Function Authentication

CWE-668

CWE-78 OS Command Injection Injection

Affected Products 2

Vendor	Product	Version	Range
dlink	dir-868l_firmware	2.05b02	any
dlink	dir-868l	b1	any

References 3

cybermaya.in https://cybermaya.in/posts/Post-44/

ExploitThird Party Advisory
supportannouncement.us.dlink.com https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10397

Product
dlink.com https://www.dlink.com/en/security-bulletin/

Not Applicable

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.