CVE-2018-25358

HIGH

D-Link DIR601 2.02NA Credential Disclosure via my_cgi.cgi

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25358. PoCs published by Thomas Zuk.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass vulnerability in D-Link DIR-601 routers (firmware <= 2.02NA) by abusing the 'table_name' parameter in a POST request to my_cgi.cgi, allowing unauthorized retrieval of administrative credentials and wireless settings.

Description

D-Link DIR601 2.02NA contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by manipulating the table_name parameter in POST requests. Attackers can send requests to /my_cgi.cgi with table_name values like admin_user, wireless_settings, and wireless_security to extract administrative credentials and wireless network keys in clear text.

Exploits (1)

exploitdb WORKING POC

by Thomas Zuk · pythonwebappshardware

https://www.exploit-db.com/exploits/45002

View Code ZIP pw:eip

This exploit demonstrates an authentication bypass vulnerability in D-Link DIR-601 routers (firmware <= 2.02NA) by abusing the 'table_name' parameter in a POST request to my_cgi.cgi, allowing unauthorized retrieval of administrative credentials and wireless settings.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: D-Link DIR-601 Firmware <= 2.02NA

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 24, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit exploit

ExploitDB-45002

https://www.exploit-db.com/exploits/45002

Product product

Official Product Homepage

http://ca.dlink.com/

Product product

Official Product Homepage

https://www.packetlabs.net

Product product

Product Reference

http://support.dlink.ca/ProductInfo.aspx?m=DIR-601

Third Party Advisory third-party-advisory

VulnCheck Advisory: D-Link DIR601 2.02NA Credential Disclosure via my_cgi.cgi

https://www.vulncheck.com/advisories/d-link-dir601-2-02na-credential-disclosure-via-my-cgi-cgi

Scores

CVSS v3 7.5

EPSS 0.0070

EPSS Percentile 48.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-497

Status published

Products (2)

D-Link/DIR-601 < 2.02

D-Link/DIR601NA < 2.02

Published May 23, 2026

Tracked Since May 24, 2026