CVE-2025-10628 is a command injection vulnerability identified in the D-Link DIR-852 router, specifically version 1.00CN B09. The vulnerability resides in the web management interface component, within the /htdocs/cgibin/hedwig.cgi file. Command injection vulnerabilities allow an attacker to execute arbitrary commands on the underlying operating system with the privileges of the affected application. In this case, the vulnerability can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The attack complexity is low, meaning that an attacker with network access to the device can manipulate input parameters to inject commands. The CVSS 4.0 base score is 5.3, categorized as medium severity, reflecting limited impact on confidentiality, integrity, and availability (all rated low), and the requirement of low privileges (PR:L). The vulnerability affects only an unsupported version of the DIR-852 router, which reduces the likelihood of widespread exploitation but still poses risks to environments where these devices remain in use. No official patches or updates have been released, and although no exploits are currently known to be in the wild, a public exploit has been made available, increasing the risk of future attacks. The vulnerability's presence in the web management interface means that successful exploitation could allow attackers to execute arbitrary system commands, potentially leading to device compromise, network pivoting, or disruption of network services managed by the router.

For European organizations, the impact of this vulnerability depends largely on the continued deployment of the affected D-Link DIR-852 1.00CN B09 routers, which are no longer supported. If these devices are still in use, especially in small to medium enterprises or home office environments, attackers could remotely compromise the routers to gain unauthorized access to internal networks, intercept or manipulate traffic, or disrupt connectivity. This could lead to data breaches, loss of network availability, or serve as a foothold for further attacks within the organization. Given the medium severity and the requirement of low privileges, the threat is moderate but non-negligible. The lack of vendor support means no official patches are available, increasing the risk over time. European organizations relying on legacy network equipment without proper segmentation or monitoring are particularly vulnerable. Additionally, the public availability of an exploit increases the risk of opportunistic attacks targeting these devices.

Since the affected product is no longer supported and no official patches exist, European organizations should prioritize the following mitigations: 1) Immediate replacement or upgrade of the D-Link DIR-852 routers to supported models with up-to-date firmware to eliminate the vulnerability. 2) If replacement is not immediately feasible, restrict remote access to the router's management interface by limiting it to trusted internal networks and disabling remote management features. 3) Implement network segmentation to isolate legacy devices from critical infrastructure and sensitive data environments. 4) Employ intrusion detection/prevention systems (IDS/IPS) to monitor for suspicious command injection attempts targeting the hedwig.cgi endpoint. 5) Regularly audit network devices to identify unsupported hardware and maintain an asset inventory to prevent unmanaged devices from remaining in production. 6) Educate IT staff about the risks of unsupported devices and the importance of timely hardware lifecycle management. These steps go beyond generic advice by focusing on compensating controls and proactive asset management in the absence of vendor patches.