CVE-2025-13562 identifies a command injection vulnerability in the D-Link DIR-852 router firmware version 1.00. The flaw resides in the processing of the /gena.cgi endpoint, specifically through manipulation of the 'service' parameter, which is improperly sanitized. This allows remote attackers to inject and execute arbitrary system commands without requiring authentication or user interaction. The vulnerability is exploitable over the network (AV:N), with low attack complexity (AC:L), and no privileges or user interaction needed (PR:N/UI:N). The impact on confidentiality, integrity, and availability is low to limited, as indicated by the CVSS vector, but the ability to execute arbitrary commands can lead to device compromise, unauthorized access, or disruption of network services. The affected product is no longer supported by D-Link, meaning no official patches or updates are available, increasing the risk for users who continue to operate this hardware. Public exploits have been released, facilitating potential attacks. The vulnerability does not require authentication, making it accessible to any attacker with network access to the device. The lack of scope change (S:N) indicates the impact is confined to the vulnerable device itself. The vulnerability was published on November 23, 2025, and is cataloged in the CVE database with a medium severity rating based on CVSS 4.0 standards.

For European organizations, the primary impact involves potential unauthorized remote control of affected D-Link DIR-852 routers, which can lead to interception or manipulation of network traffic, disruption of internet connectivity, and pivoting to internal networks. This is particularly concerning for small and medium enterprises or home office environments that may still use legacy or unsupported network equipment. The compromise of such routers can undermine network confidentiality and integrity, enabling attackers to conduct further attacks such as data exfiltration, man-in-the-middle attacks, or launching attacks against internal systems. Availability may also be affected if attackers disrupt router functionality or cause denial of service. Since the product is no longer supported, organizations cannot rely on vendor patches, increasing exposure. The public availability of exploits raises the likelihood of opportunistic attacks, including by less sophisticated threat actors. The impact is heightened in sectors with critical infrastructure or sensitive data, where network stability and security are paramount.

Given the absence of official patches, European organizations should prioritize replacing the D-Link DIR-852 routers with supported, updated models to eliminate the vulnerability. If immediate replacement is not feasible, network segmentation should be implemented to isolate vulnerable devices from critical systems and limit exposure to untrusted networks. Access control lists (ACLs) and firewall rules should restrict inbound traffic to the /gena.cgi endpoint or block access to the router's management interfaces from outside trusted networks. Monitoring network traffic for unusual activity targeting the router can help detect exploitation attempts. Disabling remote management features on the affected devices reduces attack surface. Organizations should conduct asset inventories to identify any remaining DIR-852 devices and remove or quarantine them. Additionally, educating users about the risks of unsupported hardware and encouraging timely hardware upgrades will reduce future exposure. Employing intrusion detection/prevention systems (IDS/IPS) with signatures for known exploits can provide an additional layer of defense.