OS Command Injection Vulnerability in D-Link DIR-816L Routers
CVE-2025-9727

5.3MEDIUM

Key Information:

Vendor: D-link
Status: Dir-816l
Vendor: CVE Published:; 31 August 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-9727?

A vulnerability has been identified in the D-Link DIR-816L routers that could allow an attacker to execute arbitrary operating system commands remotely. This flaw is found in the function soapcgi_main within the /soap.cgi file, where improper handling of the 'service' argument can be exploited for command injection. The exploitation potential poses significant risks, especially for devices that are no longer supported by D-Link. The exploit has been publicly shared, increasing the urgency for users with affected models to take immediate action to secure their devices.

Affected Version(s)

DIR-816L 206b01

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-9727 - Proof of Concept

References

https://vuldb.com/?id.322016

vdb-entrytechnical-description

https://vuldb.com/?ctiid.322016

signaturepermissions-required

https://vuldb.com/?submit.639698

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Aug 31, 2025
👾
Exploit known to exist
Aug 31, 2025
Vulnerability published
Aug 31, 2025
Vulnerability Reserved
Aug 30, 2025

Credit

Lexpl0it (VulDB User)

D-link