cbcvebase.
CVE-2025-14528
published 2025-12-11

CVE-2025-14528: A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.56%
87.9th percentile
A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Affected

2 ranges
VendorProductVersion rangeFixed in
d-linkdir-803
dlinkdir-803_firmware<= 1.04

Detection & IOCsextracted from sources · hover to see the quote

path/getcfg.php
url/getcfg.php?a=%0A_POST_SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1'
commandGET /getcfg.php?a=%0A_POST_SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1' HTTP/1.1
  • Detect exploitation attempts by matching HTTP requests to /getcfg.php containing newline-injected AUTHORIZED_GROUP parameter (URL-encoded %0A) with _POST_SERVICES=DEVICE.ACCOUNT in the query string.
  • Successful exploitation returns HTTP 200 with Content-Type: text/xml and XML body containing <password>, <username>, and <usrid> tags — alert on responses matching this pattern from /getcfg.php.
  • Use FOFA query 'app="D_Link-DIR-803"' to identify exposed D-Link DIR-803 devices for proactive scanning and asset identification.
  • The attack vector is newline injection (%0A) into the AUTHORIZED_GROUP parameter; monitor web logs for URL-encoded newline characters in requests to /getcfg.php.
  • ·This vulnerability only affects D-Link DIR-803 firmware A1 1.04 and earlier; the device is end-of-life and no patch will be issued by the vendor.
  • ·The exploit is publicly available, raising the likelihood of opportunistic exploitation against internet-exposed DIR-803 devices.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.