CVE Alert: CVE-2025-9752 - D-Link - DIR-852

CVE-2025-9752

HIGHNo exploitation known

A security vulnerability has been detected in D-Link DIR-852 1.00CN B09. Impacted is the function soapcgi_main of the file soap.cgi of the component SOAP Service. Such manipulation of the argument service leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CVSS v3.1 (7.3)

Vendor

D-Link

Product

DIR-852

Versions

1.00CN B09

CWE

CWE-78, OS Command Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-01T00:02:06.532Z

Updated

2025-09-01T00:02:06.532Z

References

https://vuldb.com/?id.322053
https://vuldb.com/?ctiid.322053
https://vuldb.com/?submit.640590
https://github.com/i-Corner/cve/issues/18
https://www.dlink.com/

AI Summary Analysis

Risk verdict

High risk: publicly disclosed remote command-injection with a available proof-of-concept exploit; proceed with urgent mitigations.

Why this matters

The vulnerability enables remote, unauthenticated command execution on a consumer routing device, potentially allowing full device compromise and foothold inside affected networks. With vendor support ended, there is no official patch, elevating risk for organisations using exposed DIR-852 deployments in SMB/branch or home-office environments.

Most likely attack path

Exploitation requires no user interaction (UI:N) and no privileges (PR:N); attacker can trigger via a crafted request over the SOAP service (AV:N, AC:L).
Scope remains unchanged, but successful command execution can lead to persistent compromise, data exposure, or lateral movement within the device’s host network.

Who is most exposed

Devices deployed at edge networks with exposed management interfaces, especially in small businesses and homes where this model is common and firmware support has ended.

Detection ideas

Look for POST requests to soap.cgi with abnormal service parameter values triggering command execution attempts.
Unusual process activity or new outbound connections shortly after requests to the SOAP endpoint.
Unexpected system commands spawned by soapcgi_main in logs or host telemetry.
Anomalous file system activity or shell activity on the device.
IDS/IPS alerts for known command-injection patterns targeting SOAP services.

Mitigation and prioritisation

Patch/patching status: no official patch available; plan for device replacement or decommission if possible.
Compensating controls: restrict external access to the device’s management interfaces; implement strict firewall rules; disable remote administration if not needed.
Network controls: segment affected devices from sensitive networks; require VPN for administration.
Monitoring: enable enhanced logging for SOAP endpoints; deploy network-based detection of command-injection patterns.
Change-management: inventory and tag affected devices; consider upgrade path and procurement that receives ongoing security support. If KEV true or EPSS ≥ 0.5 becomes evidenced, elevate to priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-9752, d-link, dir-852, OSINT, threatintel