CVE-2025-55583

Name of the Vulnerable Software and Affected Versions D-Link DIR-868L B1 router firmware version FW2.05WWB02

Description The D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The /dws/api/UploadFile API endpoint accepts a pre api arg parameter which is passed directly to system-level shell execution functions without proper sanitization or authentication. This allows remote attackers to execute arbitrary commands as root through crafted HTTP requests.

Recommendations Update to a newer version of the firmware that addresses this issue. As a temporary workaround, restrict access to the /dws/api/UploadFile endpoint. Avoid using the pre api arg parameter in the affected API endpoint until the issue is resolved.