Multiple D-Link DIR-series routers, including DIR-110, DIR-412, DIR-600, DIR-610, DIR-615, DIR-645, and DIR-815 firmware version 1.03, contain a vulnerability in the service.cgi endpoint that allows remote attackers to execute arbitrary system commands without authentication. The flaw stems from improper input handling in the EVENT=CHECKFW parameter, which is passed directly to the system shell without sanitization. A crafted HTTP POST request can inject commands that are executed with root privileges, resulting in full device compromise. These router models are no longer supported at the time of assignment and affected version ranges may vary. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-08-21 UTC.
The vulnerability is located in the service.cgi endpoint, where the EVENT=CHECKFW parameter passed in an HTTP POST request is directly passed to the system shell without any input data sanitization (CWE-78: OS Command Injection). An attacker can craft an HTTP POST request containing malicious commands injected into the value of this parameter. The injected commands are executed immediately with root privileges, leading to complete device takeover.
The attacker gains full control over the device with root privileges — can execute arbitrary system commands, modify configuration, intercept network traffic, and use the device as an entry point to the local network. The result is complete device compromise.
D-Link manufacturer will not release patches for these devices as they are covered by End-of-Life policy. Immediate replacement of vulnerable devices with currently supported models is recommended. Until replacement, the following should be done: isolate devices from the internet (block access to the management interface from WAN), apply additional firewall rules restricting access to the service.cgi endpoint, and monitor network traffic for exploitation attempts.
D-Link DIR-110, DIR-412, DIR-600, DIR-610, DIR-615, DIR-645, and DIR-815 routers with firmware version 1.03. The exact range of affected versions may vary depending on the model — see references for details. All mentioned models are covered by the manufacturer's End-of-Life policy.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XDlink Dir 110
HWDlinkwszystkie wersjeDlink Dir 110 Firmware
OSDlinkwszystkie wersjeDlink Dir 412
HWDlinkwszystkie wersjeDlink Dir 412 Firmware
OSDlinkwszystkie wersjeDlink Dir 600
HWDlinkwszystkie wersjeDlink Dir 600 Firmware
OSDlinkwszystkie wersjeDlink Dir 610
HWDlinkwszystkie wersjeDlink Dir 610 Firmware
OSDlinkwszystkie wersjeDlink Dir 615
HWDlinkwszystkie wersjeDlink Dir 615 Firmware
OSDlinkwszystkie wersjeDlink Dir 645
HWDlinkwszystkie wersjeDlink Dir 645 Firmware
OSDlinkwszystkie wersjeDlink Dir 815
HWDlinkwszystkie wersjeDlink Dir 815 Firmware
OSDlink1.03
Related vulnerabilities
Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1...
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInt...
D-Link DIR-300/DIR-600 — nieuwierzytelniony OS command injection w command.php
D-Link DIR-300/DIR-600: nieuwierzytelniony command injection z uprawnieniami root
Command injection w routerze D-Link DIR-815 — podatność krytyczna (CVSS 9.8)