CVE-2025-9752 in DIR-852
Summary
by MITRE • 09/01/2025
A security vulnerability has been detected in D-Link DIR-852 1.00CN B09. Impacted is the function soapcgi_main of the file soap.cgi of the component SOAP Service. Such manipulation of the argument service leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/05/2025
The vulnerability identified as CVE-2025-9752 represents a critical command injection flaw within the D-Link DIR-852 router firmware version 1.00CN B09. This security weakness resides in the SOAP service component, specifically within the soapcgi_main function of the soap.cgi file, making it a prime target for remote exploitation. The vulnerability stems from inadequate input validation and sanitization of the service argument parameter, which allows malicious actors to inject arbitrary operating system commands directly into the router's execution environment. The affected device operates with a SOAP service that handles remote procedure calls, creating an attack surface where unfiltered user input can be executed as system commands, potentially granting attackers full control over the device's operating system.
The technical exploitation of this vulnerability follows a well-established pattern that aligns with CWE-77 and CWE-94, which categorize command injection and code injection flaws respectively. Attackers can remotely submit malicious input through the SOAP service interface, manipulating the service parameter to execute arbitrary commands on the underlying operating system. This type of vulnerability typically allows for privilege escalation, remote code execution, and potentially complete system compromise. The attack vector is particularly dangerous because it requires no authentication for exploitation, and the public disclosure of exploit code increases the likelihood of automated attacks against vulnerable devices. The router's web interface, which is accessible via standard HTTP protocols, serves as the primary entry point for attackers to deliver malicious payloads through the SOAP service endpoint.
The operational impact of this vulnerability extends beyond simple device compromise, as it creates persistent security risks for networks that continue to operate unsupported equipment. Organizations and individuals using the D-Link DIR-852 router may face unauthorized access to their network infrastructure, potential data exfiltration, and the ability to use the compromised device as a launchpad for further attacks against internal networks. The fact that this vulnerability affects a device that is no longer supported by the manufacturer significantly amplifies the risk, as users cannot obtain official patches or security updates to remediate the issue. Network administrators who have not migrated away from this unsupported firmware version remain exposed to potential exploitation, particularly in environments where legacy networking equipment continues to operate without proper security monitoring or network segmentation.
Mitigation strategies for CVE-2025-9752 must prioritize immediate action to address the vulnerability, given the public availability of exploit code. The primary recommendation involves discontinuing use of the affected D-Link DIR-852 firmware version and migrating to supported equipment with current security patches. Network segmentation should be implemented to isolate affected devices from critical network infrastructure, while continuous monitoring of network traffic for suspicious activity related to SOAP service communications becomes essential. Additionally, implementing network access controls to restrict access to the router's web interface and SOAP service endpoints can help reduce the attack surface. Organizations should also consider deploying intrusion detection systems that can identify and alert on suspicious command injection patterns targeting the specific SOAP service interface, aligning with ATT&CK technique T1059.001 for command and script injection. The vulnerability demonstrates the critical importance of maintaining up-to-date firmware and the dangers of operating unsupported network equipment in production environments.