CVE-2025-5621 is a critical OS command injection vulnerability identified in the D-Link DIR-816 router, specifically affecting firmware version 1.10CNB05. The vulnerability resides in the qosClassifier function within the /goform/qosClassifier endpoint. An attacker can manipulate the dip_address or sip_address parameters to inject arbitrary operating system commands. This injection flaw allows remote attackers to execute commands on the underlying system without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability is present in a product that is no longer supported by the vendor, meaning no official patches or updates are available to remediate the issue. Although the CVSS score is 6.9 (medium severity), the nature of OS command injection typically implies a high risk due to the potential for full system compromise. The vulnerability affects network availability, confidentiality, and integrity by enabling attackers to execute arbitrary commands, potentially leading to device takeover, network pivoting, or disruption of network services. The exploit has been publicly disclosed, increasing the risk of exploitation, but there are no confirmed reports of active exploitation in the wild at this time.

For European organizations, this vulnerability poses a significant risk, especially for those using the affected D-Link DIR-816 routers in their network infrastructure. Compromise of these routers could lead to unauthorized access to internal networks, interception or manipulation of network traffic, and disruption of critical network services. Given that the device is a consumer-grade router, it may be deployed in small offices or home office environments, which are often less monitored and secured, making them attractive targets for attackers seeking entry points into larger corporate networks. The lack of vendor support means organizations cannot rely on official patches, increasing the likelihood that vulnerable devices remain in operation. This could facilitate lateral movement by attackers within European networks, data exfiltration, or launching further attacks on connected systems. The vulnerability's remote exploitability without authentication further exacerbates the risk, as attackers can scan for and target exposed devices directly over the internet or internal networks.

Since the affected D-Link DIR-816 devices are no longer supported and no official patches are available, European organizations should prioritize the following mitigations: 1) Immediate inventory and identification of all DIR-816 routers running firmware version 1.10CNB05 or similar affected versions. 2) Replace or upgrade affected devices with currently supported hardware that receives regular security updates. 3) If replacement is not immediately feasible, isolate the vulnerable routers from direct internet exposure by placing them behind firewalls or network segmentation controls to restrict access to the /goform/qosClassifier endpoint. 4) Employ network intrusion detection/prevention systems (IDS/IPS) to monitor and block suspicious traffic patterns indicative of command injection attempts targeting these devices. 5) Disable or restrict QoS features if possible, to reduce the attack surface related to the vulnerable function. 6) Implement strict network access controls and ensure that management interfaces are not accessible from untrusted networks. 7) Educate IT staff and users about the risks associated with unsupported network devices and the importance of timely hardware lifecycle management.