CVE-2025-14528
published 2025-12-11CVE-2025-14528: A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The…
PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.56%
87.9th percentile
A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d-link | dir-803 | — | — |
| dlink | dir-803_firmware | <= 1.04 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by matching HTTP requests to /getcfg.php containing newline-injected AUTHORIZED_GROUP parameter (URL-encoded %0A) with _POST_SERVICES=DEVICE.ACCOUNT in the query string. ↗
- →Successful exploitation returns HTTP 200 with Content-Type: text/xml and XML body containing <password>, <username>, and <usrid> tags — alert on responses matching this pattern from /getcfg.php. ↗
- →Use FOFA query 'app="D_Link-DIR-803"' to identify exposed D-Link DIR-803 devices for proactive scanning and asset identification. ↗
- →The attack vector is newline injection (%0A) into the AUTHORIZED_GROUP parameter; monitor web logs for URL-encoded newline characters in requests to /getcfg.php. ↗
- ·This vulnerability only affects D-Link DIR-803 firmware A1 1.04 and earlier; the device is end-of-life and no patch will be issued by the vendor. ↗
- ·The exploit is publicly available, raising the likelihood of opportunistic exploitation against internet-exposed DIR-803 devices. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rh34-wc6m-2m98: A vulnerability was detected in D-Link DIR-803 up to 1
ghsa_unreviewed·2025-12-11
CVE-2025-14528 [MEDIUM] CWE-200 GHSA-rh34-wc6m-2m98: A vulnerability was detected in D-Link DIR-803 up to 1
A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
VulnCheck
D-Link dir-803_firmware Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2025·CVSS 5.5
CVE-2025-14528 [MEDIUM] D-Link dir-803_firmware Exposure of Sensitive Information to an Unauthorized Actor
D-Link dir-803_firmware Exposure of Sensitive Information to an Unauthorized Actor
A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Affected: D-Link dir-803_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2025-14528; https://www.crowdsec.net/vulntracki
No detection rules found.
Nuclei
Jinher OA - SQL Injection
nuclei·CVSS 6.9
CVE-2025-10090 [MEDIUM] Jinher OA - SQL Injection
Jinher OA - SQL Injection
jinher jinher_oa is an office automation software that facilitates workflow management and collaboration within organizations. It sits in the enterprise layer of the tech stack, is typically deployed as self_hosted, and—within the information_technology industry—serves the business_apps domain.
Template:
id: CVE-2025-10090
info:
name: Jinher OA - SQL Injection
author: DhiyaneshDk
severity: high
description: |
jinher jinher_oa is an office automation software that facilitates workflow management and collaboration within organizations. It sits in the enterprise layer of the tech stack, is typically deployed as self_hosted, and—within the information_technology industry—serves the business_apps domain.
impact: |
Remote attackers can execute arbitrary SQL commands
Nuclei
D-Link DIR-803 - Authentication Bypass
nuclei·CVSS 5.5
CVE-2025-14528 [MEDIUM] D-Link DIR-803 - Authentication Bypass
D-Link DIR-803 - Authentication Bypass
An authentication bypass vulnerability exists in D-Link DIR-803 routers (firmware A1 1.04 and earlier). By manipulating the AUTHORIZED_GROUP parameter in /getcfg.php via newline injection, an attacker can retrieve XML configuration containing administrator credentials without authentication.
Template:
id: CVE-2025-14528
info:
name: D-Link DIR-803 - Authentication Bypass
author: DhiyaneshDk
severity: high
description: |
An authentication bypass vulnerability exists in D-Link DIR-803 routers (firmware A1 1.04 and earlier). By manipulating the AUTHORIZED_GROUP parameter in /getcfg.php via newline injection, an attacker can retrieve XML configuration containing administrator credentials without authentication.
impact: |
Remote attackers can disclose s
No writeups or analysis indexed.
https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-2/DIR-803%20Authentication%20Bypass.mdhttps://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-2/DIR-803%20Authentication%20Bypass.md#pochttps://vuldb.com/?ctiid.335869https://vuldb.com/?id.335869https://vuldb.com/?submit.703150https://www.dlink.com/https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-2/DIR-803%20Authentication%20Bypass.mdhttps://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-2/DIR-803%20Authentication%20Bypass.md#poc
2025-12-11
Published
Exploited in the wild