CVE-2025-8978 is a high-severity vulnerability affecting the D-Link DIR-619L router, specifically version 6.02CN02. The flaw resides in the FirmwareUpgrade function of the embedded boa web server component. The vulnerability is characterized by insufficient verification of data authenticity during the firmware upgrade process. This means that the device does not adequately validate the integrity or origin of the firmware image before applying it. An attacker with high privileges on the device or network could exploit this weakness remotely to upload and install malicious firmware. However, the attack complexity is considered high, and exploitation is difficult, requiring advanced skills or conditions. The vulnerability has been publicly disclosed, but no known exploits have been observed in the wild to date. Importantly, this vulnerability affects a product that is no longer supported by the vendor, implying no official patches or updates are available. The CVSS v4.0 score is 7.5, reflecting a high severity due to the potential for significant impact on confidentiality, integrity, and availability, combined with the difficulty of exploitation and the requirement for high privileges. The vulnerability does not require user interaction but does require privileged access, which limits the attack surface somewhat. The lack of vendor support increases the risk for affected users as mitigation options are limited to workarounds or device replacement.

For European organizations, this vulnerability poses a significant risk primarily to those still operating legacy D-Link DIR-619L routers with firmware version 6.02CN02. Exploitation could lead to unauthorized firmware installation, resulting in full compromise of the device. This could enable attackers to intercept or manipulate network traffic, disrupt network availability, or use the compromised router as a foothold for further attacks within the organization’s network. Given that the device is typically used in small office or home office environments, the impact might be more pronounced in SMEs or remote workers relying on this hardware. The absence of vendor support means no official patches are available, increasing the risk of prolonged exposure. Additionally, compromised routers could be leveraged in botnets or for lateral movement, potentially affecting broader organizational infrastructure. The high complexity and required privileges reduce the likelihood of widespread exploitation but do not eliminate the risk, especially from targeted attacks or insider threats.

Since no official patches are available due to the product being out of support, European organizations should prioritize the following mitigations: 1) Immediate replacement of the affected D-Link DIR-619L devices with currently supported and actively maintained hardware to eliminate the vulnerability. 2) If replacement is not immediately feasible, restrict access to the router’s management interface by implementing strict network segmentation and firewall rules to limit administrative access to trusted personnel only. 3) Monitor network traffic for unusual activity that could indicate exploitation attempts, such as unexpected firmware upgrade requests or anomalous outbound connections. 4) Employ network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics targeting firmware upgrade anomalies on D-Link devices. 5) Enforce strong authentication and credential management to prevent attackers from gaining the high privileges required for exploitation. 6) Educate users and administrators about the risks of using unsupported hardware and the importance of timely device upgrades. 7) Maintain an inventory of network devices to identify and track legacy equipment that may pose security risks.