CVE-2025-22968 – This critical vulnerability in D-Link DWR-M972V... (How to Fix)

Q: What is the severity of CVE-2025-22968?

CVE-2025-22968 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability in D-Link DWR-M972V routers allows remote attackers to execute arbitrary code with root privileges via SSH without authentication. Anyone using the affected router version is vulnerable to complete device takeover.

📋 TL;DR

This critical vulnerability in D-Link DWR-M972V routers allows remote attackers to execute arbitrary code with root privileges via SSH without authentication. Anyone using the affected router version is vulnerable to complete device takeover.

💻 Affected Systems

Products:

D-Link DWR-M972V

Versions: 1.05SSG

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the default configuration. SSH service appears to be enabled by default with root access unrestricted.

📦 What is this software?

Dwr M972v Firmware by Dlink

View all CVEs affecting Dwr M972v Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use the device for botnet activities.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and use as a proxy for malicious activities.

🟢

If Mitigated

Limited impact if SSH is disabled and device is not internet-facing, though local network attacks remain possible.

🌐 Internet-Facing: HIGH - Direct remote exploitation possible without authentication via exposed SSH service.

🏢 Internal Only: HIGH - Even internally, attackers can exploit this without credentials to gain root access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub. Attack requires only SSH access to the device with root credentials that appear to be hardcoded or unrestricted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Instructions:

No official patch available. Monitor D-Link security bulletin for updates. Consider replacing affected devices if no patch becomes available.

🔧 Temporary Workarounds

Disable SSH Service

all

Completely disable SSH access to prevent exploitation

Check router admin interface for SSH settings and disable
If possible via CLI: systemctl disable sshd

Network Segmentation

all

Isolate router from internet and restrict internal access

Configure firewall to block SSH port 22 inbound/outbound
Implement VLAN segmentation

🧯 If You Can't Patch

Immediately disable SSH service through router administration interface
Replace affected device with a different model or from different vendor

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 1.05SSG, device is vulnerable.

Check Version:

Check via router web interface at http://router-ip or via serial console if available

Verify Fix Applied:

No official fix available. Verify SSH is disabled by attempting SSH connection to router (ssh root@router-ip). Connection should fail.

📡 Detection & Monitoring

Log Indicators:

Failed SSH login attempts to root account
Successful SSH login as root from unexpected sources
Unusual process execution on router

Network Indicators:

SSH connections to router from external IPs
Unusual outbound traffic from router
DNS queries to malicious domains from router

SIEM Query:

source="router_logs" (event="ssh" AND user="root") OR (event="authentication" AND result="success" AND user="root")

📊 Metadata

CVE ID: CVE-2025-22968

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 41.25% exploit probability (97.3th percentile)

Published: January 15, 2025

Last Updated: May 21, 2025

🔗 References

https://github.com/CRUNZEX/CVE-2025-22968 Exploit,Third Party Advisory
https://github.com/CRUNZEX/CVE-DLINK-LTE Exploit,Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22968, you might also want to check these: