CVE-2025-10689 is a command injection vulnerability identified in the D-Link DIR-645 router, specifically affecting firmware version 105B01. The flaw resides in the soapcgi_main function within the /soap.cgi endpoint. By manipulating the 'service' argument in requests to this CGI interface, an attacker can inject arbitrary commands that the device executes. This vulnerability is remotely exploitable without requiring user interaction or authentication, making it particularly dangerous. The exploit code is publicly available, increasing the likelihood of exploitation attempts. However, the affected product is no longer supported by D-Link, meaning no official patches or firmware updates are available to remediate the issue. The CVSS 4.0 score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, but limited impact on confidentiality, integrity, and availability. The vulnerability could allow attackers to execute arbitrary commands on the router, potentially leading to device compromise, network disruption, or pivoting to internal networks. Since the device is an edge router, exploitation could impact network traffic, confidentiality of communications, and availability of internet access for connected users.

For European organizations, the impact of this vulnerability depends on the presence of the affected D-Link DIR-645 105B01 routers within their network infrastructure. Many small and medium enterprises (SMEs) and home office setups may still use this older router model due to cost or legacy reasons. Successful exploitation could allow attackers to gain control over the router, intercept or manipulate network traffic, disrupt internet connectivity, or establish persistent footholds for further attacks. This could lead to data breaches, operational downtime, and compromise of internal systems. Since the device is no longer supported, organizations cannot rely on vendor patches, increasing the risk profile. The medium severity score suggests a moderate risk, but the lack of vendor support and public exploit availability elevate the threat level. European organizations with remote or distributed workforces using these routers at branch offices or home environments are particularly vulnerable. Additionally, critical infrastructure or government entities using this hardware could face targeted attacks aiming to disrupt communications or exfiltrate sensitive data.

Given the absence of official patches, mitigation must focus on compensating controls. Organizations should first conduct network asset inventories to identify any D-Link DIR-645 105B01 devices in use. Immediate replacement of these routers with supported, updated hardware is the most effective mitigation. If replacement is not immediately feasible, network segmentation should isolate vulnerable routers from sensitive internal networks to limit attacker lateral movement. Access to the router's management interface and the /soap.cgi endpoint should be restricted via firewall rules to trusted IP addresses only, preferably internal management networks. Monitoring network traffic for unusual requests to /soap.cgi and anomalous command execution patterns can help detect exploitation attempts. Employing intrusion detection/prevention systems (IDS/IPS) with signatures for this vulnerability can provide additional defense. User education to avoid exposing router management interfaces to the internet is critical. Finally, organizations should plan for phased decommissioning of unsupported devices to reduce long-term risk.