CVE-2025-9003 is a cross-site scripting (XSS) vulnerability identified in the D-Link DIR-818LW router, specifically in version 1.04 of its firmware. The vulnerability resides in the DHCP Reserved Address Handler component, within the /bsc_lan.php file. The issue arises from improper sanitization of the 'Name' argument, which can be manipulated by an attacker to inject malicious scripts. This vulnerability is remotely exploitable, meaning an attacker can initiate the attack over the network without requiring physical access. However, exploitation requires at least low-level privileges (PR:L) and user interaction (UI:P), such as tricking an authenticated user into clicking a crafted link or visiting a malicious page. The vulnerability does not require authentication (AT:N), but the CVSS vector indicates partial privileges are needed, suggesting some form of limited access or session context is necessary. The impact primarily affects confidentiality and integrity by enabling script execution in the context of the router's web interface, potentially leading to session hijacking, credential theft, or manipulation of router settings. Availability impact is minimal. The vulnerability affects products that are no longer supported by D-Link, meaning no official patches or updates are available, increasing the risk for users who continue to operate these devices. No known exploits are currently in the wild, but the medium severity score (CVSS 5.1) indicates a moderate risk that could be leveraged in targeted attacks or combined with other vulnerabilities for greater impact.

For European organizations, the impact of this vulnerability depends on the prevalence of the D-Link DIR-818LW router within their network infrastructure. Small and medium enterprises (SMEs) or home offices using this device could be at risk of unauthorized access or manipulation of network configurations through XSS attacks. Attackers exploiting this vulnerability could gain access to sensitive network management interfaces, potentially leading to interception of internal traffic, redirection of DNS queries, or insertion of malicious payloads into network traffic. This could compromise confidentiality and integrity of organizational data. Since the device is no longer supported, organizations relying on it face increased risk due to the absence of vendor patches. Additionally, the need for user interaction and some privilege level reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks, especially in environments where users may be less security-aware. The vulnerability could also be leveraged as a foothold for lateral movement within a network if attackers gain initial access through phishing or social engineering.

Given the lack of official patches, European organizations should prioritize replacing the affected D-Link DIR-818LW devices with supported and updated hardware to eliminate the vulnerability. If immediate replacement is not feasible, organizations should restrict access to the router's management interface by limiting it to trusted internal networks and disabling remote management features. Implement network segmentation to isolate vulnerable devices from critical systems. Employ web filtering and endpoint security solutions to reduce the risk of users interacting with malicious content that could trigger the XSS attack. Regularly monitor network traffic and router logs for suspicious activities indicative of exploitation attempts. Educate users about the risks of clicking unknown links or interacting with unsolicited content that could facilitate exploitation. Additionally, consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures targeting known XSS attack patterns to detect and block attempts. Finally, maintain an inventory of network devices to identify unsupported hardware and plan for timely upgrades.