CVE-2025-4340 is a command injection vulnerability identified in the D-Link DIR-890L and DIR-806A1 routers, specifically affecting firmware versions up to 100CNb11 and 108B03. The vulnerability resides in the function sub_175C8 within the /htdocs/soap.cgi file. This flaw allows an attacker to remotely execute arbitrary commands on the affected device without requiring user interaction or authentication, due to improper input validation in the SOAP interface. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting network attack vector, low attack complexity, no privileges or user interaction needed, but limited impact on confidentiality, integrity, and availability. Notably, the affected products are no longer supported by the vendor, meaning no official patches or firmware updates are available to remediate the issue. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation. The vulnerability could allow attackers to compromise the router, potentially gaining control over network traffic, launching further attacks on connected devices, or disrupting network availability.

For European organizations, this vulnerability poses a moderate risk primarily to environments where legacy D-Link DIR-890L or DIR-806A1 routers are still in use, particularly in small to medium enterprises or home office setups. Compromise of these routers could lead to interception or manipulation of sensitive data traversing the network, unauthorized network access, or denial of service conditions. Given the routers are no longer supported, organizations cannot rely on vendor patches, increasing the likelihood of prolonged exposure. This is especially critical for organizations with remote or hybrid workforces relying on these devices for secure connectivity. Additionally, compromised routers could serve as footholds for attackers to pivot into corporate networks or launch attacks against other infrastructure. While the CVSS score is medium, the lack of vendor support and ease of remote exploitation elevate the operational risk. European organizations must assess their network inventory to identify these devices and prioritize mitigation to prevent potential breaches or service disruptions.

Since no official patches are available due to end-of-life status, organizations should prioritize the following mitigations: 1) Immediate identification and inventory of all D-Link DIR-890L and DIR-806A1 routers running vulnerable firmware versions. 2) Replace affected devices with currently supported models that receive regular security updates. 3) If replacement is not immediately feasible, isolate vulnerable routers from critical network segments and restrict remote management access, especially blocking inbound SOAP requests from untrusted networks. 4) Implement network-level controls such as firewall rules to limit access to router management interfaces and monitor for unusual traffic patterns indicative of exploitation attempts. 5) Employ network intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect exploitation attempts targeting SOAP CGI interfaces. 6) Educate users and administrators about the risks of using unsupported hardware and the importance of timely device lifecycle management. 7) Regularly audit network devices for firmware versions and vulnerabilities to maintain situational awareness.