CVE-2025-55848 is a remote code execution (RCE) vulnerability identified in the firmware version 20250416 of the DIR-823 device. The vulnerability arises from improper input validation in the set_cassword settings interface, specifically in the http_casswd parameter. This parameter fails to filter the ampersand character ('&'), which allows an attacker to inject additional commands, including reverse shell commands, leading to arbitrary code execution on the affected device. The vulnerability is classified under CWE-77, which relates to command injection flaws. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The attack vector is network-based (AV:N), requiring no privileges (PR:N) or user interaction (UI:N), and it impacts confidentiality and integrity with no effect on availability. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability allows an unauthenticated attacker to remotely execute commands by exploiting the lack of proper sanitization in the HTTP parameter, potentially compromising the device and any network it is connected to.

For European organizations, this vulnerability poses a significant risk, especially for those relying on DIR-823 devices within their network infrastructure. Successful exploitation could allow attackers to gain unauthorized access to the device, leading to potential data leakage (confidentiality impact) and unauthorized modification of device configurations or network traffic (integrity impact). Although availability is not directly affected, compromised devices could be used as footholds for lateral movement or as part of botnets, increasing the overall threat landscape. Organizations in sectors with critical infrastructure or sensitive data, such as finance, healthcare, and government, could face elevated risks. The lack of authentication requirement and user interaction makes the attack easier to execute remotely, increasing the likelihood of exploitation if devices are exposed to untrusted networks or the internet.

Organizations should immediately assess their network for the presence of DIR-823 devices running the vulnerable firmware version 20250416. Since no official patches are currently available, mitigation should focus on network-level controls: restrict access to the device management interface by implementing firewall rules that limit management access to trusted IP addresses only; disable remote management features if not required; monitor network traffic for unusual outbound connections that may indicate exploitation attempts; and implement intrusion detection/prevention systems (IDS/IPS) with signatures targeting command injection attempts. Additionally, organizations should engage with the vendor for firmware updates and apply patches as soon as they become available. Regularly auditing device configurations and maintaining an asset inventory will help in timely identification and remediation of vulnerable devices.