Unauthenticated OS Command Injection in D-Link DIR-868L Router
CVE-2025-55583

9.8CRITICAL

Key Information:

Vendor: D-Link
Status: DIR-868L Router
Vendor: CVE Published:; 28 August 2025

What is CVE-2025-55583?

The D-Link DIR-868L B1 router firmware version FW2.05WWB02 is susceptible to an OS command injection vulnerability via the fileaccess.cgi component. The /dws/api/UploadFile endpoint improperly handles the pre_api_arg parameter, which is processed by system-level shell execution functions without adequate sanitization or authentication checks. This flaw enables remote attackers to execute arbitrary commands in the root context by sending specially crafted HTTP requests, posing significant security risks to users and their networks.

References

https://www.dlink.com/en/security-bulletin/

https://supportannouncement.us.dlink.com/security/publica...

https://cybermaya.in/posts/Post-44/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 28, 2025
Vulnerability Reserved
Aug 13, 2025