CVE-2025-14659
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on D-Link DIR-860LB1 and DIR-868LB1 routers by injecting malicious commands into the DHCP hostname parameter. Attackers can exploit this without authentication to gain full control of affected devices. Only users of these specific router models with vulnerable firmware versions are affected.
💻 Affected Systems
- D-Link DIR-860LB1
- D-Link DIR-868LB1
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete router compromise leading to network takeover, credential theft, malware deployment, and persistent backdoor installation.
Likely Case
Router compromise allowing traffic interception, DNS hijacking, and lateral movement to connected devices.
If Mitigated
Limited impact if routers are behind firewalls with strict DHCP traffic filtering.
🎯 Exploit Status
Public exploit details available in references; simple command injection via DHCP hostname field.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
1. Check D-Link support for firmware updates. 2. If update available, download from official site. 3. Upload via router admin interface. 4. Reboot router.
🔧 Temporary Workarounds
Disable DHCP Server
allDisable the vulnerable DHCP daemon and use external DHCP server
Network Segmentation
allIsolate affected routers in separate VLAN with strict firewall rules
🧯 If You Can't Patch
- Replace affected routers with supported models
- Implement strict network monitoring for unusual DHCP traffic
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface: Settings > FirmwareCheck Version:
Not applicable - check via web interfaceVerify Fix Applied:
Verify firmware version is no longer 203b01 or 203b03📡 Detection & Monitoring
Log Indicators:
- Unusual DHCP hostname entries containing shell metacharacters
- Multiple failed DHCP requests with suspicious payloads
Network Indicators:
- DHCP requests with unusually long hostnames
- DHCP traffic containing shell commands or special characters
SIEM Query:
source="dhcpd" AND (hostname="*;*" OR hostname="*|*" OR hostname="*`*" OR hostname="*$(*" OR hostname="*&*" OR hostname="*>*" OR hostname="*<*")🔗 References
- https://tzh00203.notion.site/D-Link-DIR-860LB1-v203b03-Command-Injection-in-DHCPd-2c6b5c52018a807eab1ae73dbd95eee3?source=copy_link
- https://tzh00203.notion.site/D-Link-DIR-868LB1-v203b01-Command-Injection-in-DHCPd-2c8b5c52018a805296c3dea51a7a4070?source=copy_link
- https://vuldb.com/?ctiid.336391
- https://vuldb.com/?id.336391
- https://vuldb.com/?submit.713701
- https://vuldb.com/?submit.714709
- https://www.dlink.com/
