CVE-2025-4350 is a critical command injection vulnerability identified in the D-Link DIR-600L router, specifically affecting firmware versions up to 2.07B01. The vulnerability resides in the wake_on_lan function, where improper sanitization of the 'host' argument allows an attacker to inject arbitrary commands. This flaw enables remote attackers to execute commands on the device without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts the confidentiality, integrity, and availability of the affected device, as attackers can execute arbitrary commands potentially leading to full device compromise. The vulnerability is notable because it affects devices that are no longer supported by the vendor, meaning no official patches or updates are available, increasing the risk for long-term exploitation. Although no known exploits are currently reported in the wild, the high CVSS score of 8.7 and the ease of exploitation make this a significant threat. The vulnerability does not require user interaction and can be triggered remotely over the network, which increases the attack surface. Given the nature of the device—a consumer-grade router—successful exploitation could allow attackers to manipulate network traffic, intercept sensitive data, or use the compromised device as a foothold for further attacks within the network environment.

For European organizations, the exploitation of this vulnerability could have severe consequences. Many small and medium-sized enterprises (SMEs) and home office setups rely on consumer-grade routers like the D-Link DIR-600L for internet connectivity. A compromised router could lead to interception of sensitive communications, unauthorized access to internal networks, and disruption of business operations. The lack of vendor support means organizations cannot rely on official patches, increasing the risk of persistent exploitation. Additionally, the vulnerability could be leveraged to launch broader attacks such as lateral movement within corporate networks or as part of botnets for distributed denial-of-service (DDoS) attacks. Critical sectors such as finance, healthcare, and government agencies using these devices in less secure environments may face increased risk of data breaches and operational disruptions. The remote and unauthenticated nature of the exploit further exacerbates the threat, as attackers can target vulnerable devices over the internet without needing physical access or user interaction.

Given the absence of official patches due to end-of-life status of the affected devices, European organizations should prioritize the following mitigations: 1) Immediate replacement of all D-Link DIR-600L routers with supported and updated models that receive regular security updates. 2) If replacement is not immediately feasible, isolate the vulnerable devices from direct internet exposure by placing them behind a firewall or using network segmentation to limit access to the device's management interface. 3) Disable the wake_on_lan feature entirely if it is not required, as this is the vulnerable function. 4) Monitor network traffic for unusual activity that could indicate exploitation attempts, including unexpected command execution or outbound connections from the router. 5) Implement strict network access controls and restrict management interface access to trusted IP addresses only. 6) Educate users and IT staff about the risks of using unsupported hardware and the importance of timely hardware lifecycle management. 7) Consider deploying network intrusion detection systems (NIDS) capable of detecting command injection patterns or anomalous router behavior. These steps will help mitigate the risk until devices can be fully replaced.