Last week, the CrowdSec Network added a detection rule for CVE-2025-14528, a vulnerability in old D-LINK routers. In this week’s threat alert, we dive into how this vulnerability works, how attackers exploit it, and what makes vulnerabilities in routers such a particularly interesting target for low-level cybercriminals.
Key findings
- CVE-2025-14528 was published on December 11, 2025, and CrowdSec released a detection rule on February 18, 2026. Active exploitation of CVE-2025-14528 was observed starting February 20, 2026.
- CVE-2025-14528 originates from a lack of access controls to a PHP script running on the router. It allows attackers to read the admin account and password from the local filesystem, enabling further compromise.
- Remote router exploits such as CVE-2025-14528 are often used to build botnets. CrowdSec will continue monitoring this vulnerability to see if this happens for CVE-2025-14528.
What is D-Link DIR-803?
The D-Link DIR-803 is a wireless router designed for home and small office networks. It manages internet connectivity and local network traffic for connected devices. While it is an older model, these devices often remain in service for years, forgotten in closets or server rooms, continuing to route traffic for businesses and individuals. The impact of compromising such a device is significant. A router acts as the gateway to a network. Vulnerabilities that enable remote takeover can allow attackers to intercept traffic, launch further attacks on internal devices, or join the device to a botnet.
How does CVE-2025-14528 work?
This vulnerability lies in the /getcfg.php component of the router’s firmware. By actively manipulating the AUTHORIZED_GROUP argument and injecting newline characters, an unauthenticated remote attacker can bypass security checks.
Successful exploitation grants the attacker access to the device’s sensitive configuration data in XML format. In particular, the AUTHORIZED_GROUP header will reveal the contents of the local credential storage. This causes the router to send the admin account and password back to the remote attacker in cleartext.
For more details, we link to the researcher’s short write-up of the exploit and the proof-of-concept attack.
Data Details & Observations of CVE-2025-14528
Data from the CrowdSec Network for CVE-2025-14528 is currently limited to a small number of distinct attacker IPs. The attack patterns indicate that the current operations are focused on large-scale scanning to discover vulnerable devices. We believe that these operations originate from attackers trying to figure out if and how many vulnerable devices still remain in use. This course of action is likely as the device itself is officially end-of-life. Based on previous analysis for the Mozi and the Miori botnet family, it is likely that vulnerable devices still exist, especially in developing countries where ISPs are less diligent in replacing the routers used by their customers.
This type of attack pattern is very expected for IoT vulnerabilities, and it is a big reason why we go through the effort of tracking these vulnerabilities in devices long past their EoL date. Routers like the DIR-803 usually don’t have any valuable services connected to them, but the fact that a remote attacker could potentially use them as members of a botnet makes them attractive targets. As the end-users of this type of device rarely, if ever, replace the device by themselves, they offer a good platform for botnet use, as persistence is easy to maintain. The fact that the botnet traffic will originate from residential IP ranges is an added benefit.
How to protect your systems
While we could write a standard text snippet here about how to use our WAF to protect your vulnerable, 15-year-old router, we won’t bother this time because you should really just get a new device (and the chances any reader still has one of these in their bill of materials is 0). This threat alert was more about sharing a small insight into how botnets are built and what kind of exploits botnet builders usually look at. We will go back to talking about the latest AI tooling (or Fortinet, whatever comes first) exploit next week.