CVE-2025-10629 is a command injection vulnerability identified in the D-Link DIR-852 router, specifically affecting version 1.00CN B09. The vulnerability resides in the Simple Service Discovery Protocol (SSDP) service, within the ssdpcgi_main function located in the htodcs/cgibin component. The issue arises from improper sanitization of the ST argument, which an attacker can manipulate to inject arbitrary commands. This flaw allows remote attackers to execute commands on the underlying operating system without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability has a CVSS 4.0 base score of 5.3, categorized as medium severity, reflecting limited impact on confidentiality, integrity, and availability, and requiring low privileges for exploitation. Although the exploit has been publicly disclosed, there are no known exploits observed in the wild to date. Importantly, this vulnerability affects only an outdated and unsupported firmware version, meaning no official patches or updates are available from D-Link. The vulnerability's exploitation could allow attackers to execute arbitrary commands remotely, potentially leading to unauthorized control over the device, network reconnaissance, or pivoting to other internal systems. Given the nature of the device as a consumer or small office router, the risk extends to network security and privacy of connected users.

For European organizations, the impact of this vulnerability depends largely on the deployment of the affected D-Link DIR-852 routers running the vulnerable firmware. If such devices are used within corporate or home office environments, exploitation could lead to unauthorized network access, interception of traffic, or use of the compromised device as a foothold for further attacks. This could result in data breaches, disruption of network services, or lateral movement within organizational networks. The medium severity rating suggests that while the vulnerability is exploitable remotely without user interaction, the overall impact on confidentiality, integrity, and availability is limited but non-negligible. Organizations relying on these routers for critical connectivity or with weak network segmentation may face increased risk. Additionally, since the product is no longer supported, organizations cannot rely on vendor patches, increasing the urgency for alternative mitigation strategies. The lack of known active exploitation reduces immediate risk but does not eliminate the threat, especially given the public disclosure of the exploit details.

Given the absence of official patches for this unsupported device, European organizations should prioritize the following mitigation steps: 1) Immediate replacement of the affected D-Link DIR-852 routers with supported and updated hardware models to eliminate the vulnerability vector. 2) If replacement is not immediately feasible, isolate the vulnerable devices on segmented network zones with strict firewall rules to limit inbound access to the SSDP service and other management interfaces. 3) Disable the SSDP service or any unnecessary services on the router to reduce the attack surface. 4) Monitor network traffic for unusual activity or command injection attempts targeting the ST argument in SSDP requests. 5) Employ network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection patterns related to this vulnerability. 6) Educate IT staff and users about the risks of using unsupported hardware and the importance of timely firmware updates and device lifecycle management. These targeted actions go beyond generic advice by focusing on compensating controls and network architecture adjustments to mitigate risk in the absence of vendor patches.