Login Sign Up

CVE-2025-4445

6.3 MEDIUM
Remote Code Execution

📋 TL;DR

This critical vulnerability in D-Link DIR-605L routers allows remote attackers to execute arbitrary commands via command injection in the wake_on_lan function's mac parameter. Only users of the DIR-605L router with firmware version 2.13B01 are affected, and this product is no longer supported by the vendor.

💻 Affected Systems

Products:
  • D-Link DIR-605L
Versions: 2.13B01
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects this specific firmware version. Product is end-of-life with no vendor support.

📦 What is this software?

Dir 605l Firmware by Dlink

View all CVEs affecting Dir 605l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to establish persistent access, intercept network traffic, pivot to internal systems, or use the device for botnet activities.

🟠

Likely Case

Remote code execution leading to router configuration changes, DNS hijacking, credential theft, or denial of service.

🟢

If Mitigated

Limited impact if the router is behind a firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in GitHub repository. Remote exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

No official patch available. The product is end-of-life and no longer supported by D-Link.

🔧 Temporary Workarounds

Disable WAN access to management interface

linux

Block external access to router administration interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable wake_on_lan functionality

linux

Turn off the vulnerable feature if not required

echo '0' > /proc/sys/net/ipv4/wol_enabled

🧯 If You Can't Patch

  • Replace the vulnerable router with a supported model
  • Isolate the router in a dedicated network segment with strict firewall rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at http://router_ip/ or using command: cat /proc/version

Check Version:

cat /proc/version | grep '2.13B01'

Verify Fix Applied:

No official fix available. Verify workarounds by testing external access to router management interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to wake_on_lan endpoint
  • Suspicious command execution in system logs
  • Multiple failed login attempts followed by successful access

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to malicious domains
  • Port scanning originating from router

SIEM Query:

source="router_logs" AND (uri="/wake_on_lan" OR command="wake_on_lan") AND (mac="*;*" OR mac="*|*" OR mac="*`*")

📊 Metadata

CVE ID: CVE-2025-4445
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.19% exploit probability (41.3th percentile)
Published: May 9, 2025
Last Updated: May 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4445, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)