CVE-2025-55583

CRITICAL

9.8

Descricao

D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The endpoint /dws/api/UploadFile accepts a pre_api_arg parameter that is passed directly to system-level shell execution functions without sanitization or authentication. Remote attackers can exploit this to execute arbitrary commands as root via crafted HTTP requests.

Detalhes CVE

Pontuacao CVSS v3.19.8

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado8/28/2025

Ultima modificacao9/9/2025

Fontenvd

Avistamentos honeypot0

Produtos afetados

dlink:dir-868ldlink:dir-868l_firmware

Fraquezas (CWE)

CWE-78CWE-306CWE-668

Referencias

https://cybermaya.in/posts/Post-44/(cve@mitre.org)

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10397(cve@mitre.org)

https://www.dlink.com/en/security-bulletin/(cve@mitre.org)

https://cybermaya.in/posts/Post-44/(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.