CVE-2025-9026 – This CVE describes a remote command injection v... (How to Fix)

Q: What is the severity of CVE-2025-9026?

CVE-2025-9026 has a CVSS score of 7.3 (HIGH). This CVE describes a remote command injection vulnerability in D-Link DIR-860L routers via the Simple Service Discovery Protocol (SSDP) service. Attackers can execute arbitrary operating system commands on affected devices without authentication. Only unsupported legacy devices running firmware version 2.04.B04 are affected.

📋 TL;DR

This CVE describes a remote command injection vulnerability in D-Link DIR-860L routers via the Simple Service Discovery Protocol (SSDP) service. Attackers can execute arbitrary operating system commands on affected devices without authentication. Only unsupported legacy devices running firmware version 2.04.B04 are affected.

💻 Affected Systems

Products:

D-Link DIR-860L

Versions: 2.04.B04

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with SSDP service enabled (default). Product is end-of-life with no vendor support.

📦 What is this software?

Dir 860l Firmware by Dlink

View all CVEs affecting Dir 860l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, steal credentials, or use the device for botnet activities.

🟠

Likely Case

Device takeover for use in DDoS botnets, credential harvesting from connected devices, or network reconnaissance.

🟢

If Mitigated

Limited impact if device is behind strict firewall rules and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on GitHub. Attack requires no authentication and can be automated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

No official patch available. Device is end-of-life. Replace with supported hardware.

🔧 Temporary Workarounds

Disable SSDP Service

all

Turn off Simple Service Discovery Protocol service if not required

Access router admin interface > Advanced > UPnP > Disable

Network Segmentation

all

Isolate affected devices from critical network segments

🧯 If You Can't Patch

Immediately replace affected devices with supported hardware
Implement strict firewall rules blocking all inbound traffic to affected devices

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 2.04.B04, device is vulnerable.

Check Version:

Login to router admin interface and check Firmware Version under Status

Verify Fix Applied:

No fix available. Verify device replacement or workaround implementation.

📡 Detection & Monitoring

Log Indicators:

Unusual SSDP traffic patterns
Unexpected process execution in router logs
Failed authentication attempts from router IP

Network Indicators:

SSDP requests with suspicious payloads
Outbound connections from router to unknown IPs
Port scanning originating from router

SIEM Query:

source_ip=ROUTER_IP AND (protocol="SSDP" OR dest_port=1900) AND payload CONTAINS "cmd" OR "sh" OR "bash"

📊 Metadata

CVE ID: CVE-2025-9026

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-77

EPSS Score: 0.21% exploit probability (42.9th percentile)

Published: August 15, 2025

Last Updated: August 18, 2025

🔗 References

https://github.com/i-Corner/cve/issues/17 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.320091 Permissions Required
https://vuldb.com/?id.320091 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.629946 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9026, you might also want to check these: