CVE-2025-29165: Privilege Escalation D-Link DIR-1253 via the Hardcoded Component

home

blogs

vulns

about

An issue in D-Link DIR-1253 MESH V1.6.1684 allows an attacker to escalate privileges via the etc/shadow.sample component by console TTY login, which will turn into another attack vector.

Avatar

Zuhri

  |  2 min reads

Summary #

D-Link DIR-1253 Prior version <= V1.6.1684 vulnerable to privilege escalation. The file affected at etc/shadow.sample contained a hardcoded root credential. These credentials are used in var/shadow by the following init.d/rcS_{AP,GW} boot script, this script is being execute when booting process is start.

Proof of Concept #

A fully automate Proof of Concept script.

PoC

Details #

The file affected component is located at etc/shadow.sample, this file contained root access level privilege.

root:$1$KEKJV2R0$TFJ4jy7waGKrjdNHwPGzV.:14587:0:99999:7:::
nobody:*:14495:0:99999:7:::

These hardcoded etc/shadow.sample value is used as var/shadow by the following init.d/rcS_AP:30.

#!/bin/sh

//...	

#smbd
mkdir /var/config
mkdir /var/private
mkdir /var/tmp/usb

#for console login
cp /etc/shadow.sample /var/shadow

#extact web pages
cd /web
flash extr /web
cd /

//...

And init.d/rcS_GW:60 init boot script file.

#!/bin/sh

//...

#snmpd
mkdir /var/net-snmp

cp /bin/pppoe.sh /var/ppp/true
echo "#!/bin/sh" > /var/ppp/true
#echo "PASS"     >> /var/ppp/true

#for console login
cp /etc/shadow.sample /var/shadow

#for weave
cp /etc/avahi-daemon.conf /var/avahi

#extact web pages
cd /web
flash extr /web
cd /

//...

Impact #

This vulnerability allows an attacker to compromise root level access via console TTY for instance, which will turn into arbitrary attack vector.

Timeline #

# Feb 21, 2025:
- Vulnerability reported to dlink.com(.sg).
- dlink.com: "We dont recognize this device".

# Aug 07, 2025:
- Request for CVE ID to MITRE CNA.

# Aug 21, 2025:
- CVE-2025-29165 was assigned in RESERVED states.

# Mar 03, 2026:
- CVE-2025-29165 references was publicly available.

# Mar 05, 2026:
- Request for CVE-2025-29165 states to be PUBLISHED.
- CVE-2025-29165 advisory was in PUBLISHED states.

References #

# Links Relate
- https://codeberg.org/zuhri/advisory/src/branch/main/CVE-2025-29165
- https://www.cve.org/CVERecord?id=CVE-2025-29165
- https://nvd.nist.gov/vuln/detail/CVE-2024-37630
- https://cwe.mitre.org/data/definitions/276.html
- https://cwe.mitre.org/data/definitions/798.html
- https://cwe.mitre.org/data/definitions/269.html

# Links Firmware
- https://codeberg.org/zuhri/advisory/raw/branch/main/CVE-2025-29165/DLINK_N2M_ID_V1.6.1684.bin
- https://github.com/zxhri/DIR-1253
- https://archive.org/details/dir-1253-m-dlink-id-v-1.6.1527