CVE-2025-9745 – This CVE describes an OS command injection vuln... (How to Fix)

📋 TL;DR

This CVE describes an OS command injection vulnerability in D-Link DI-500WF routers that allows remote attackers to execute arbitrary commands on affected devices. The vulnerability exists in the jhttpd component's /version_upgrade.asp file and can be exploited by manipulating the 'path' argument. Organizations and individuals using the affected router model are at risk.

💻 Affected Systems

Products:

D-Link DI-500WF

Versions: 14.04.10A1T

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Di 500wf Firmware by Dlink

View all CVEs affecting Di 500wf Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, intercept network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Attacker gains shell access to router, modifies configurations, intercepts traffic, or uses device as pivot point for further attacks.

🟢

If Mitigated

Limited impact due to network segmentation, firewall rules, or lack of internet exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub; exploitation appears straightforward based on disclosed details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check D-Link support site for firmware updates
2. Download latest firmware if available
3. Upload via router admin interface
4. Reboot router after update

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected routers from critical networks and internet exposure

Firewall Rules

all

Block external access to router admin interface and restrict internal access

🧯 If You Can't Patch

Replace affected routers with supported models
Implement strict network segmentation and access controls

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface; if version is 14.04.10A1T, device is vulnerable.

Check Version:

Check router web interface or use: curl -s http://router-ip/version_upgrade.asp

Verify Fix Applied:

Verify firmware version has been updated to a version later than 14.04.10A1T.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /version_upgrade.asp
Suspicious command execution in system logs
Unexpected configuration changes

Network Indicators:

Unusual outbound connections from router
Traffic to known malicious IPs from router
Port scanning originating from router

SIEM Query:

source="router-logs" AND (uri="/version_upgrade.asp" OR command="*;*" OR command="*|*")

📊 Metadata

CVE ID: CVE-2025-9745

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-77

EPSS Score: 0.11% exploit probability (29.9th percentile)

Published: August 31, 2025

Last Updated: September 4, 2025

🔗 References

https://github.com/physicszq/Routers/blob/main/tmp/01/poc.py Exploit
https://github.com/physicszq/Routers/tree/main/tmp/01 Exploit
https://vuldb.com/?ctiid.322044 Permissions Required,VDB Entry
https://vuldb.com/?id.322044 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.640394 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product
https://github.com/physicszq/Routers/blob/main/tmp/01/poc.py Exploit
https://github.com/physicszq/Routers/tree/main/tmp/01 Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9745, you might also want to check these: