CVE-2025-1392 in DIR-816info

Summary

by MITRE • 02/17/2025

A vulnerability has been found in D-Link DIR-816 1.01TO and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/webproc?getpage=html/index.html&var:menu=24gwlan&var:page=24G_basic. The manipulation of the argument SSID leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2025

This vulnerability resides within the D-Link DIR-816 wireless router firmware version 1.01TO, specifically targeting the web management interface through the cgi-bin/webproc script. The affected functionality operates through a parameterized URL structure that processes user input to display network configuration pages. The vulnerability stems from insufficient input validation and output encoding within the web interface handling of the SSID parameter, creating a classic cross-site scripting vulnerability that allows malicious actors to inject arbitrary JavaScript code into the router's web interface. The attack vector is remote and requires no authentication, making it particularly dangerous as it can be exploited from any location with network access to the device.

The technical flaw manifests in the improper sanitization of user-supplied data when processing the SSID parameter within the webproc script. When a user submits a value for SSID through the specified URL endpoint, the input is not properly escaped or validated before being rendered in the web page context. This creates an environment where maliciously crafted SSID values can contain JavaScript code that executes in the context of the victim's browser session. The vulnerability is classified as CWE-79 - Improper Neutralization of Input During Web Page Generation, which represents one of the most common web application security flaws. The exploitation process involves crafting a malicious SSID value that contains script tags and payload code, which then executes when the page containing the vulnerable parameter is rendered in a victim's browser.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, and modification of router configuration settings. An attacker could potentially redirect users to malicious websites, steal administrative session cookies, or even modify network settings to redirect traffic through attacker-controlled servers. The vulnerability's remote nature means that attackers can exploit it without physical access to the device, and since it affects a device that is no longer supported by the vendor, there are no official patches or updates available to address the issue. This makes the device particularly susceptible to exploitation and increases the risk to networks that continue to use unsupported hardware.

Given that this vulnerability affects an end-of-life product with no vendor support, mitigation strategies should focus on network segmentation and access controls rather than software patches. Organizations should immediately isolate affected devices from critical network segments and implement network monitoring to detect potential exploitation attempts. The recommended approach includes deploying web application firewalls to filter malicious requests, implementing strict access controls to limit who can reach the device's management interface, and considering immediate replacement of the affected hardware. Additionally, network administrators should conduct thorough inventory audits to identify all instances of this vulnerable firmware and ensure that these devices are either patched with third-party firmware solutions or physically removed from production networks. The ATT&CK framework categorizes this vulnerability under T1190 - Exploit Public-Facing Application, highlighting the importance of maintaining current firmware and implementing proper network segmentation as defensive measures against such attacks.

Responsible

VulDB

Disclosure

02/17/2025

Moderation

accepted

CPE

ready

EPSS

0.06817

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!