Is there a public PoC exploit available for CVE-2025-7836?

Yes, a public proof-of-concept exploit is available for CVE-2025-7836. Prioritise patching immediately. EPSS: 0.4%.

D-Link DIR-816L CVE-2025-7836

Q: What is the CVSS score of CVE-2025-7836?

CVE-2025-7836 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-07-19 cna@vuldb.com

Command Injection D-Link Dir 816L Firmware

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:21 vuln.today

DescriptionCVE.org

A vulnerability has been found in D-Link DIR-816L up to 2.06B01 and classified as critical. Affected by this vulnerability is the function lxmldbc_system of the file /htdocs/cgibin of the component Environment Variable Handler. The manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Command injection in D-Link DIR-816L firmware up to version 2.06B01 allows authenticated remote attackers to execute arbitrary system commands via the lxmldbc_system function in the Environment Variable Handler component. The vulnerability affects end-of-life hardware no longer receiving vendor support, with public exploit code available and low real-world exploitation probability despite network accessibility, limited only by requirement for valid authentication credentials.

Technical ContextAI

The vulnerability exists in the web-based management interface of the D-Link DIR-816L router, specifically within the Environment Variable Handler component that processes user-supplied input through the lxmldbc_system function located in /htdocs/cgibin. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating insufficient input validation or output encoding when constructing system commands. The vulnerable code path allows authenticated users to inject shell metacharacters that bypass intended command boundaries, resulting in execution of unintended commands with the privileges of the web server process.

RemediationAI

No vendor-released patch is available for this end-of-life device. Primary remediation requires replacement of affected DIR-816L hardware with current-generation D-Link routers receiving active firmware support. For organizations unable to immediately replace equipment, implement network-based compensating controls: restrict administrative access to the router's web management interface (TCP 80/443) to trusted network segments only using firewall rules, implement network-based authentication requiring VPN access before reaching router management, and disable remote management features if not actively required by network operations. Audit all user accounts with router administrative access and revoke credentials for users no longer requiring management privileges. Document affected devices and schedule replacement within a defined timeframe aligned with organizational risk tolerance for end-of-life hardware.

CVE-2025-7836 vulnerability details – vuln.today

Back