CVE-2025-4445 is a command injection vulnerability identified in the D-Link DIR-605L router, specifically affecting firmware version 2.13B01. The vulnerability resides in the wake_on_lan function, where improper validation of the 'mac' argument allows an attacker to inject arbitrary commands. This flaw enables remote exploitation without requiring user interaction or authentication, as the vulnerable function can be triggered remotely. The vulnerability is classified with a CVSS 4.0 base score of 5.3, indicating a medium severity level. The vector details show that the attack can be launched over the network (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but some limited privileges are needed, no user interaction (UI:N), and has low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The scope remains unchanged (S:U). Importantly, the affected product is no longer supported by the vendor, meaning no official patches or updates are available to remediate this vulnerability. Although there are no known exploits in the wild at the time of publication, the nature of command injection vulnerabilities makes this a significant risk if attackers develop exploit code. The wake_on_lan function typically allows remote devices to power on the router or connected devices, and improper sanitization of input parameters in this function can lead to execution of arbitrary system commands, potentially allowing attackers to take control of the device or disrupt network operations.

For European organizations, the impact of this vulnerability could be substantial, especially for small and medium enterprises or home office environments that still use the D-Link DIR-605L router with the affected firmware. Successful exploitation could allow attackers to execute arbitrary commands on the router, potentially leading to full device compromise. This could result in interception or manipulation of network traffic, disruption of internet connectivity, or use of the compromised router as a foothold for further attacks within the internal network. Given that the device is no longer supported, organizations cannot rely on vendor patches, increasing the risk of persistent exposure. Critical infrastructure or organizations with remote workforce relying on such routers may face operational disruptions or data breaches. However, the medium CVSS score and low impact on confidentiality, integrity, and availability suggest that while exploitation is serious, it may not lead to catastrophic outcomes unless combined with other vulnerabilities or used as part of a larger attack chain.

Since the affected D-Link DIR-605L devices are no longer supported and no official patches are available, organizations should prioritize the following mitigations: 1) Replace or upgrade affected routers to currently supported models with updated firmware to eliminate the vulnerability. 2) If replacement is not immediately feasible, disable the wake_on_lan feature entirely to prevent exploitation of the vulnerable function. 3) Restrict remote management access to the router by disabling WAN-side administration and limiting access to trusted internal networks only. 4) Implement network segmentation to isolate vulnerable devices from critical systems and sensitive data. 5) Monitor network traffic for unusual activity that could indicate exploitation attempts, such as unexpected command execution or anomalous wake_on_lan packets. 6) Educate users and administrators about the risks of using unsupported hardware and the importance of timely hardware lifecycle management. These steps go beyond generic advice by focusing on compensating controls and operational changes given the lack of vendor support.