Login Sign Up

CVE-2025-14884

7.2 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in the firmware update service of D-Link DIR-605 routers with firmware version 202WWB03. Attackers can remotely execute arbitrary commands on affected devices, potentially gaining full control. Only products no longer supported by D-Link are affected.

💻 Affected Systems

Products:
  • D-Link DIR-605
Versions: Firmware version 202WWB03
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects end-of-life products no longer receiving vendor support. The firmware update service is typically enabled by default.

📦 What is this software?

Dir 605 Firmware by Dlink

View all CVEs affecting Dir 605 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, network pivoting, credential theft, and botnet recruitment.

🟠

Likely Case

Remote code execution leading to device takeover, DNS hijacking, traffic interception, and lateral movement within the network.

🟢

If Mitigated

Limited impact if devices are isolated behind firewalls with strict inbound filtering, though internal exploitation risk remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in the reference links. Remote exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

No official patch available since product is end-of-life. Replace affected hardware with supported models.

🔧 Temporary Workarounds

Disable WAN access to management interface

all

Block external access to router management services

Configure firewall to block inbound connections to ports 80, 443, 8080 on WAN interface

Disable firmware update service

all

Turn off automatic firmware updates if possible

Check router web interface for firmware update settings

🧯 If You Can't Patch

  • Isolate affected routers in separate VLAN with strict network segmentation
  • Implement network monitoring for suspicious outbound connections from router IPs

🔍 How to Verify

Check if Vulnerable:

Check router web interface for firmware version. If version is 202WWB03 and model is DIR-605, device is vulnerable.

Check Version:

Login to router web interface and navigate to Status > Firmware or similar section

Verify Fix Applied:

No fix available to verify. Replacement with supported hardware is the only solution.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Firmware update service receiving malformed requests
  • Unexpected process creation

Network Indicators:

  • HTTP requests to firmware update endpoint with shell metacharacters
  • Outbound connections from router to suspicious IPs

SIEM Query:

source="router_logs" AND ("firmware update" OR "command injection" OR shell metacharacters in URI)

📊 Metadata

CVE ID: CVE-2025-14884
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
EPSS Score: 0.66% exploit probability (70.5th percentile)
Published: December 18, 2025
Last Updated: January 7, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14884, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)