CVE-2025-55583
CRITICALD-Link DIR-868L B1 - Command Injection
Title source: llmDescription
D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The endpoint /dws/api/UploadFile accepts a pre_api_arg parameter that is passed directly to system-level shell execution functions without sanitization or authentication. Remote attackers can exploit this to execute arbitrary commands as root via crafted HTTP requests.
Scores
CVSS v3
9.8
EPSS
0.0111
EPSS Percentile
77.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-78
CWE-306
CWE-668
Status
published
Affected Products (1)
dlink/dir-868l_firmware
Timeline
Published
Aug 28, 2025
Tracked Since
Feb 18, 2026