CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-34048: D-Link DSL-2730U/2750U/2750E Path Traversal Arbitrary File Read

8.7 CVSS

Description

A path traversal vulnerability exists in the web management interface of D-Link DSL-2730U, DSL-2750U, and DSL-2750E ADSL routers with firmware versions IN_1.02, SEA_1.04, and SEA_1.07. The vulnerability is due to insufficient input validation on the getpage parameter within the /cgi-bin/webproc CGI script. This flaw allows an unauthenticated remote attacker to perform path traversal attacks by supplying crafted requests, enabling arbitrary file read on the affected device.

Classification

CVE ID: CVE-2025-34048

CVSS Base Severity: HIGH

CVSS Base Score: 8.7

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-20 Improper Input Validation

Affected Products

Vendor: D-Link

Product: DSL-2730U, DSL-2750U, DSL-2750E

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.26% (probability of being exploited)

EPSS Percentile: 48.85% (scored less or equal to compared to others)

EPSS Date: 2025-07-09 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-34048
https://www.exploit-db.com/exploits/40735
https://github.com/threat9/routersploit/blob/master/routersploit/modules/exploits/routers/dlink/dsl_2730_2750_path_traversal.py
https://www.dlink.com
https://vulncheck.com/advisories/dlink-dsl-routers-path-traversal-file-read

Timeline