CVE-2025-4443 is a command injection vulnerability identified in the D-Link DIR-605L router firmware version 2.13B01. The vulnerability resides in the function sub_454F2C, where the manipulation of the argument sysCmd allows an attacker to inject arbitrary commands. This flaw can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability is rated with a CVSS 4.0 base score of 5.3, categorized as medium severity. However, the description notes it as critical, likely reflecting the potential impact of command injection vulnerabilities in general. The affected product, DIR-605L, is no longer supported by the vendor, meaning no official patches or updates are available. The vulnerability could allow an attacker to execute arbitrary system commands on the device, potentially leading to full compromise of the router, interception or manipulation of network traffic, or pivoting into internal networks. The absence of known exploits in the wild suggests it is not yet actively exploited, but the ease of exploitation and lack of vendor support increase the risk over time. The vulnerability does not require user interaction but does require low privileges (PR:L), implying that some form of limited access or network access to the device's management interface is necessary. The lack of scope change (S:N) means the impact is confined to the vulnerable device itself. Given the router’s role as a network gateway, successful exploitation could severely impact network confidentiality, integrity, and availability.

For European organizations, the exploitation of this vulnerability could lead to significant security risks. Many small and medium enterprises (SMEs) and home offices in Europe use consumer-grade routers like the D-Link DIR-605L for internet connectivity. A compromised router could allow attackers to intercept sensitive communications, redirect traffic to malicious sites, or launch further attacks within the internal network. This could result in data breaches, loss of intellectual property, disruption of business operations, and potential regulatory non-compliance under GDPR due to compromised data confidentiality. The fact that the device is no longer supported means organizations relying on these routers face prolonged exposure without vendor patches, increasing the window of opportunity for attackers. Additionally, compromised routers could be used as part of botnets for distributed denial-of-service (DDoS) attacks, further impacting network availability. The medium CVSS score may underestimate the real-world impact given the critical nature of command injection vulnerabilities in network infrastructure devices.

Since the affected product is no longer supported and no official patches are available, European organizations should prioritize the replacement of D-Link DIR-605L routers with currently supported and updated devices. Network administrators should immediately isolate these devices from critical network segments and restrict access to their management interfaces, ideally limiting access to trusted IP addresses or via VPN. Implement network segmentation to minimize the impact of a compromised router. Monitoring network traffic for unusual patterns or command injection attempts targeting the router’s interfaces can help detect exploitation attempts. Employ network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics for command injection attacks. Additionally, organizations should enforce strong network access controls and consider deploying endpoint security solutions that can detect lateral movement originating from compromised routers. Regular network device inventories and asset management will help identify and track vulnerable devices to ensure timely remediation.