CVE-2025-13562

HighPublic PoC

Published: 23 November 2025

Published

23 November 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0015 35.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in D-Link DIR-852 1.00. This issue affects some unknown processing of the file /gena.cgi. Such manipulation of the argument service leads to command injection. The attack can be executed remotely. The exploit is publicly available and…

might be used. This vulnerability only affects products that are no longer supported by the maintainer.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates and sanitizes the 'service' argument in /gena.cgi processing to block command injection exploits.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and remediation of flaws like the command injection vulnerability, including compensatory mitigations since no patches are available.

SA-22 Unsupported System Components good match

prevent

Prohibits use of unsupported system components such as the end-of-life D-Link DIR-852 firmware v1.00, preventing exposure to unpatchable command injection.

Security SummaryAI

CVE-2025-13562 is a command injection vulnerability affecting the D-Link DIR-852 router on firmware version 1.00. The flaw occurs in the processing of the /gena.cgi file, where manipulation of the "service" argument enables arbitrary command injection. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as executing injected commands on the device.

The vulnerability affects products no longer supported by the maintainer, so no patches are available. Advisories on VulDB detail the issue and submission history, while a public exploit is available on GitHub, increasing the risk of active use. The D-Link website offers general product information but no specific mitigation guidance.

Details

CWE(s): CWE-74 CWE-77

Affected Products

dlink

dir-852 firmware

1.00

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1202 Indirect Command Execution Stealth

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

attack.mitre.org →

Why these techniques?

Command injection in public-facing /gena.cgi enables remote unauthenticated exploitation (T1190: Exploit Public-Facing Application) leading to arbitrary command execution (T1202: Indirect Command Execution, as cited in advisory).

References

https://github.com/YZS17/CVE/blob/main/DLink/DLink-DIR852/RCE2.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.333327
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.333327
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.697063
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com