CVE-2025-10628 Overview
CVE-2025-10628 is a command injection vulnerability in the D-Link DIR-852 router running firmware version 1.00CN B09. The flaw resides in the /htdocs/cgibin/hedwig.cgi script within the Web Management Interface. Attackers can manipulate request parameters to inject operating system commands that execute on the underlying device. The exploit has been publicly disclosed. D-Link no longer supports the DIR-852, so no official patch will be released. The vulnerability is tracked under [CWE-74] (Improper Neutralization of Special Elements in Output) and [CWE-77] (Command Injection).
Critical Impact
Authenticated remote attackers can inject arbitrary operating system commands through the hedwig.cgi endpoint on end-of-life D-Link DIR-852 routers, with no vendor patch available.
Affected Products
- D-Link DIR-852 hardware router
- D-Link DIR-852 firmware version 1.00CN B09
- Component: Web Management Interface (/htdocs/cgibin/hedwig.cgi)
Discovery Timeline
- 2025-09-18 - CVE-2025-10628 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-10628
Vulnerability Analysis
The DIR-852 ships with a CGI binary at /htdocs/cgibin/hedwig.cgi that handles configuration requests submitted from the Web Management Interface. The handler processes user-controlled input without sanitizing shell metacharacters before passing values to a system command interpreter. An attacker who can reach the management interface and supply crafted parameters can break out of the intended command context and execute arbitrary commands as the web server process, which typically runs with root privileges on consumer SOHO routers.
Because the DIR-852 is an end-of-life device, the firmware will not receive a fix. The EPSS score of 8.849% (94.5th percentile) reflects elevated exploitation interest relative to the broader CVE population, and the public disclosure of exploit details increases the likelihood of opportunistic abuse.
Root Cause
The root cause is improper neutralization of special elements used in an OS command [CWE-77]. Input received by hedwig.cgi is concatenated into a shell command string and executed without input validation, escaping, or use of a safe execution API such as execve with argument arrays.
Attack Vector
Exploitation occurs over the network against the router's HTTP management interface. The CVSS 4.0 vector indicates the attacker requires low privileges (PR:L), meaning a valid management session or default credentials are necessary to invoke the vulnerable handler. Once authenticated, the attacker submits a crafted HTTP request to hedwig.cgi containing shell metacharacters in a manipulated parameter. The injected commands execute in the router's shell, enabling persistence, traffic interception, lateral movement into the internal network, or recruitment into a botnet.
No verified proof-of-concept code is referenced in the NVD entry. Technical details are tracked in the GitHub issue for CVE-31 and VulDB entry 324658.
Detection Methods for CVE-2025-10628
Indicators of Compromise
- HTTP POST or GET requests to /htdocs/cgibin/hedwig.cgi containing shell metacharacters such as ;, |, &, `, or $() in parameter values
- Outbound connections from the router's WAN or LAN interface to unfamiliar IP addresses, particularly on ports associated with reverse shells or IRC command-and-control
- Unexpected processes such as wget, curl, tftp, nc, or busybox spawned by the CGI handler in router logs
- New or modified files in writable firmware paths such as /tmp or /var
Detection Strategies
- Inspect HTTP request logs on upstream proxies or network sensors for requests to hedwig.cgi containing command separators or URL-encoded shell characters
- Deploy network intrusion detection signatures that match command injection patterns targeting D-Link CGI endpoints
- Monitor DNS resolution from the router's IP address for queries to non-typical destinations, indicating potential compromise
Monitoring Recommendations
- Forward syslog and HTTP access logs from network perimeter devices to a centralized log analytics or SIEM platform for correlation
- Baseline normal management interface usage and alert on administrative traffic originating from non-management subnets
- Flag any management interface access from the WAN side, which should be disabled on consumer routers
How to Mitigate CVE-2025-10628
Immediate Actions Required
- Replace the D-Link DIR-852 with a currently supported router model, as the device is end-of-life and will not receive security updates
- Disable remote (WAN-side) administration on the device and restrict the Web Management Interface to a dedicated management VLAN
- Change default and weak administrative credentials to reduce the likelihood of an attacker meeting the PR:L precondition
- Segment the router's management plane from user workstations and IoT devices
Patch Information
D-Link has confirmed the DIR-852 is no longer supported. No vendor patch will be issued. Refer to D-Link Security Resources for end-of-life guidance and supported replacement models.
Workarounds
- Place the router behind a firewall that blocks unsolicited inbound traffic to the management interface
- Apply an access control list permitting management interface access only from a single trusted administrative host
- Decommission the device and migrate to a vendor-supported platform that receives ongoing firmware updates
# Example: block external access to the router management interface at an upstream firewall
# Replace ROUTER_IP and MGMT_HOST with your environment values
iptables -A FORWARD -d ROUTER_IP -p tcp --dport 80 -j DROP
iptables -A FORWARD -d ROUTER_IP -p tcp --dport 443 -j DROP
iptables -I FORWARD -s MGMT_HOST -d ROUTER_IP -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -s MGMT_HOST -d ROUTER_IP -p tcp --dport 443 -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
