CVE-2025-9752 is a security vulnerability identified in the D-Link DIR-852 router, specifically version 1.00CN B09. The vulnerability resides in the SOAP Service component, within the soapcgi_main function of the soap.cgi file. It is an OS command injection flaw triggered by manipulation of the 'service' argument. This vulnerability allows an unauthenticated remote attacker to execute arbitrary operating system commands on the affected device without requiring user interaction. The flaw arises because input passed to the 'service' parameter is not properly sanitized before being used in system-level commands, enabling injection of malicious commands. The vulnerability has been publicly disclosed, but no known exploits have been observed in the wild to date. Importantly, the affected product version is no longer supported by the vendor, meaning no official patches or updates are available to remediate this issue. The CVSS v4.0 base score is 6.9, indicating a medium severity level, with attack vector being network-based, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. The vulnerability's exploitation could allow attackers to gain control over the router, potentially leading to network compromise, interception or manipulation of traffic, or use of the device as a foothold for further attacks.

For European organizations, this vulnerability poses a moderate risk primarily to those still using the affected D-Link DIR-852 router version 1.00CN B09, which is an older and unsupported model. Exploitation could lead to unauthorized remote control of the router, enabling attackers to intercept sensitive communications, manipulate network traffic, or pivot into internal networks. This is particularly concerning for small and medium enterprises or home office environments where such routers are more commonly deployed. The lack of vendor support means no official patches are available, increasing the risk of prolonged exposure. Additionally, compromised routers could be enlisted in botnets or used to launch attacks against other targets, impacting broader network security. However, the medium severity and limited scope reduce the likelihood of widespread critical impact across large enterprises with modern infrastructure. Still, the threat to confidentiality and integrity of network communications and potential availability disruptions should not be underestimated.

Given the absence of official patches, European organizations should take immediate practical steps to mitigate this vulnerability. First, identify all devices running the affected D-Link DIR-852 firmware version 1.00CN B09 through network asset inventories and scanning tools. Replace or upgrade these devices to newer, supported models with updated firmware that addresses this and other vulnerabilities. If replacement is not immediately feasible, restrict remote access to the router's management interfaces by implementing network segmentation and firewall rules to limit exposure to untrusted networks, especially the internet. Disable SOAP services or any unnecessary remote management features on the device to reduce the attack surface. Monitor network traffic for unusual patterns that may indicate exploitation attempts. Additionally, educate users about the risks of using unsupported hardware and encourage timely hardware lifecycle management. For critical environments, consider deploying network intrusion detection systems (NIDS) capable of detecting command injection attempts targeting SOAP services.